Thomas Hampel

 15 September 2023
I'm using a Canon printer for years and it works very well despite being 10+ years old.
All computers on the network are using this printer for years.

Now I wanted to add a new Apple Macbook to my configuration and of course wanted to configure this printer.
The printer is detected on the Bonjour network, but unfortunately it can not find any driver.

Looking up Canon's Support website the printer is still listed with all its drivers. However, not for the latest Apple operating systems like Ventura, Big Sur, Catalina, nor Mojave, High Sierra, or Sierra.
The latest driver version available is for MacOS 10.11 (El Capitan) - its called MP640 series CUPS Printer Driver Ver. 11.7.1.0 (OS X)



Trying to install it on any current MacOS release is failing because the operating system is (of course) not supported. Typically your options at this point are
(a) get a new printer
(b) try installing an older version of MacOS and try installing the driver, then upgrade again.  
(c) trying to get the drivers ported from one machine to another by working with CUPS

Interestingly enough I know that the driver itself DOES work very well because on other machines with BigSur or later operating systems printing works just fine.
It seems that having installed the driver in an earlier version of MacOS allowed to carry its functionality forward, so there is no technical reason why it should not run.
Conclusion => it's only the installation routine that will prevent its installation.  

Hint:
Start with the Canon IJ Network Tool which is used to configure the printer. That tool still works on later releases incl. Ventura and it can be used to verify the communication between your Mac and the printer.

How to make it work?

Having downloaded the latest (old) available *.dmg file, e.g in my case it is the MP640 series CUPS Printer Driver Ver. 11.7.1.0 (OS X)

1. Open the file (double click) to mount it, it should look like this:
mcpd-mac-mp640-11_7_1_0-ea17_2.dmg
 

2. In this image, find the driver file which should have a *.pkg extension and copy it to e.g. your desktop or any other temp directory
PrinterDriver_MP640 series_110701.pkg

3. Open a new terminal window and run the command
> pkgutil --expand "PrinterDriver_MP640 series_110701.pkg" mp640

this will extract the files contained within the pkg file into a new subdirectory.

4. Within this new directory, edit the file "Distribution" with a text edito of your choice
> cd mp640
> nano Distribution

5. Search for a routine named "installationCheck()" and patch it to always return true.

BEFORE:


AFTER:


and of course make sure save your changes!

6. Repackage your changes into a new *pkg file using this command
pkgutil --flatten mp640 "PrinterDriver_MP640 series_PATCHED.pkg"


7. Enjoy installing your new printer driver*
Note: will only work on the same CPU architecture the driver was developed for. May not work on the new ARM CPU's

References:

• Canon MP640 series Printer Driver Ver. 11.7.1.0 for MacOS X

Canon IJ Network Tool Ver.4.7.2 (MacOS X)

https://discussions.apple.com/thread/5490701

Thomas Hampel

 20 February 2017
This is the fifth post our of a series of blog posts describing how to move from password based to seamless authentication.
In previous posts I've been discussing LDAP and SPNEGO configurations which is okay for Windows environments, but not sufficient enough for mixed or very distributed environments.
Next stage is to enter the 21st century by using SAML authentication for your on premises servers.

Level 5 - SAML Federated Authentication for Browser Clients
SAML authentication - Security Assertion Markup Language - allows Browser clients to authenticate against Domino without submitting credentials to the Domino server.
When a browser client is trying to access a Domino resource (=Web site) where SAML is enabled, Domino will refer the browser to the SAML Identity Provider configured for this web site.
The Identity Provider (e.g. IBM Federated Identity Manager or Microsoft Active Directory Federation Services server) will authenticate a user either by prompting for username & password, or by using seamless authentication such as Windows integrated authentication / Kerberos. In both cases the authentication authority remains with the Identity Provider so thats where you define how a user is authenticated (WIA, 2FactorAuth, etc.).

Default scenario for an identity provider initiated logon is a web page proided by the ADFS server where users can select what resource they want to sign in to.

it is also possible to initiate the authentication from the service provider. When Domino needs to authenticate a browser user, it will redirect the user to the identity provider.
Using ADFS it is possible to add an URL parameter that will redirect the authenticated user to another site.
https://your-adfs-server.company.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://domino.company.com/names.nsf

Pros and Cons
+ Seamless authentication for browser clients
+ Independent from operating system of server
- Does'nt work for Traveler
- This blog post only handles browser clients, but not the Notes client.

Idea and Concept
For a better understanding of the SingleSignOn SPNEGO and SAML please see Gabriella's presentation Simplifying The S's: Single Sign-On, SPNEGO and SAML

Prerequisites

• You have completed Level 1 - LDAP Authentication
• Domino Server must be running version 9.0.1 or above and -to be on the safe side- should have a current fix / feature pack applied
• Microsoft ADFS 2.0 or 3.0 server (or any other supported SAML Identity Provider)
• SSL is enabled on Domino and the ADFS server
• Active Directory User Object must have an attribute (e.g. internet address) in common with the Domino Directory person document of the Notes user.
• All servers involved in SAML authentication must use time synchronization because SAML depends on time stamps to be correct.

How to configure SAML for Domino
Andy Pedisich did a great job in pulling together all required information in his IBM Connect presentation SHOW100 - AD + SAML + Kerberos + IBM Notes and Domino = SSO!
Since the presentation already covers all the details, I'm only going to highlight the main actions

• Set up and Configure a SAML Identity provider, e.g. Microsoft ADFS Server or a free alternative  
• Create and configure the IDP Catalog (idpcat.nsf) - slide #32
• Create a Relying Party Trust in ADFS
• Update Internet Site Configuration to use SAML for session authentication instead of Multi Servers (SSO)
  

Although Andy's presentation includes more details on using SAML for the Notes client, I am keeping this blog post limited to browser clients as I will be publishing a blog post just for SAML authentication in the Notes client shortly.

Result:
Seamless authentication works fine as before but now using ADFS as identity provider.
Domino servers will never get the username/password of the users - your security folks will like that.
This is the foundation for establishing Multi-Factor Authentication based on ADFS / SAML by your ADFS admin.

References:

• Configuring an IBM Domino Web server to use SAML-based single sign-on
• Daniel Nashed - Domino Federarted Web Login / SAML with F5 and ADFS 3.0
• Bill Mathers - Multi-Factor Authentication based on ADFS / SAML
• Gabriella Davis - Simplifying The S's: Single Sign-On, SPNEGO and SAML

Thomas Hampel

 13 February 2017
Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the first post our of a series of blog posts describing how to move from password based to seamless authentication.

Level 1 – LDAP Authentication
Main goal of this level is to provide users with the ability to authenticate with Domino internet protocols such as HTTP using LDAP (e.g.Active Directory) credentials. The Notes Client authentication remains unchanged.
When using a web browser to access a Domino server, users will be prompted for username and password.
This authentication dialog looks like one of the following examples:

Credentials entered here will be forwarded to Active Directory for authentication.
Within this process username and password will be sent over the network, so it is highly important to secure the transmission using SSL/TLS.

Pros and Cons
+ Lost/forgotten passwords on a monday morning are no longer your problem. The AD guys have to take care :)
+ No need to manage HTTP passwords and no need to sync HTTP and Notes passwords
- All authentication requests will be forwarded to LDAP/AD, entering wrong passwords multiple times -depending on your policy- will lock out your AD account.

Prerequisites:
In order for Active Directory authentication to work, the Notes user name must be stored within Active Directory (or the AD name must be stored in Domino). This is required to map Active Directory user name to a Notes user name.

• Within Active Directory, each user object must have a (custom) attribute storing the Notes User name in DN format. This format is described as the full canonical user name of the Notes user (e.g. “CN=Firstname Lastname,OU=Department,O=Company”) where any slash (“/”) is replaced by a comma (“,”)
• The name of this (custom) attribute of the user object in Active Directory can be any name of your choice, I will be using “mailNickname”, but you can use any other attribute you like.
  This attribute is recommended to be included in the AD Index for performance reasons. For details how to do this, please refer to this article which relates to an older version of AD but is still valid.
• Synchronization from Domino Directory to Active Directory is done on a regular basis, e.g. by using TDI (which is free for Domino customers) with some AssemblyLines for Domino
• A non-expiring Active Directory User account is required that will be used by Domino for Single SignOn purposes.

How to...
reconfigure Domino HTTP authentication to use Active Directory for authentication of browser sessions?
If not already done:

• Import the trusted root certificate of the LDAP server into the key ring file of the Domino server.
  Please note that Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
• Create a Directory Assistence (DA) database
• Add the DA to your Domino server document
  

okay, whats next:

1. Within the Directory Assistance database, add a new document and configure it like shown below:
   
   Of course you are supposed to supply your correct Kerberos realm name. If in doubt, ask your AD admin.
2. Set "Trusted for Credentials" to Yes
   
3. Configure how to connect to the LDAP (­) server.
   
4. Save & close

Now restart the Domino server and check if LDAP is being shown in the list of directories.
Issue the command "Show xdir" at the server console for details.

Troubleshooting:
Apache LDAP Studio is your friend. Make sure your LDAP credentials are correctly working and that your Base DN is providing the expected results before setting up Directory Assistence towards AD.
Some more hints:

• You can specify multiple LDAP servers, they will be used one after the other based on the search order you have supplied
• Search order in the Directory Assistance document must be unique. You can not use the same "Search order" twice.
• Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
  If you are using Internet sites, then Edit the server document, disable internet sites (without saving) and specify the *.kyr file there. When done, switch back to the basics tab and re-enable Internet Sites.
  The file specified will still be used for all outbound connections, the kyr file specified in the internet sites is used for inbound connections only!
  
• Thes Notes.ini variables will increase the log level for further debugging
  debug_directory_assistance=1
  debug_namelookup=1

Result:
When prompted for username/Password you can now use your Active Directory username and AD Password.
Transitioning from Domino HTTP passwords to AD passwords is seamless because users can still use the Domino HTTP password even if LDAP authentication has been configured.
Once the transition is completed you should clear the HTTP password field from the person document.

Thomas Hampel

 9 August 2015
Summer time, vacation time... You have enabled Out of Office notification, so why would you want to duplicate inbound mails?
Lets say you really are offline and you want your deputy / stand-in to take care of new mails, what options do you have?
In best case we want a deputy to receive a copy of each mail while keeping the original mail in your inbox.

Delegating Access
A first option is delegating access to your mail - this will grant read access to all your data and your deputy wont get notified on new mails.
Another option is to just forward all mails to your deputy by defining a forwarding address in the person document:

This is not a good idea for people who want to see what happened while they were out because mails will just be forwarded. You wont get any mail in your inbox this way.
It might not even be an option as some organizations do not allow users to edit the person document.

Mail Rules
Another option is to use mail rules in your Notes client to send a copy of each inbound mail to somebody else. This can be done by creating a new rule which applies to all documents...

and defining a recipient of your choice --- in this example its "firstname.lastname@domain.com"

Works like a charm, but what if your Administrator has disabled user rules mail forwarding in the configuration document of your server?

...or even took more drastic measures like modifying your mail template to not even show the option "Send Fully Copy to..:" ?

Agents
You could look into writing an agent that runs on the server, but no Domino Admin should allow users to run scheduled agents on the mail server.
So trying to create an agent in your mail file will most likely end up with "You are not authorized to use agents in this database"


Duplicate Mails (with help of your Domino Administrator)
Since you have rewarded your administrator recently for keeping your computers running you'll get friendly support for the following configuratoin:

What you need to do:
1.) Create a Mail-In Database document which points to the mail file of the user who is out of office.
Make sure the Mail-in name is unique and does not resolve name lookup conflicts


2.) Create a Group of type "Mail only",
members of this group will be Mail-in database which has been created above as well as any person who shall receive a copy of the mail(s).
You can define one or multiple recipients using internet mail addresses or Notes user names.


3.) Edit the person document and put the Group name created above to be the forwarding address


4.) Testing
Wait for replication to finish within your Domain and send a test mail to the user.
This mail will be delivered to the original users mail file and also to the deputy(s) defined in the group.

Remarks:
Depending on how you have configured the Recent Contacts feature your Notes client might show the name of the mail-in database in future name lookups.
If this is an issue either purge your recent contacts or disable it completely

References:

• IBM Lotus Notes 8 Recent Contacts and Type-ahead features: FAQs

Thomas Hampel

 27 March 2015
Tip of the day:
When running Domino server commands on the operating system of a server, make sure to run the command from a console with Admin access rights, otherwise you'll get this:

PANIC: Unexpected internal error returned to logger: 0x20692010



Reference:
SPR # PALL8WA3Y8

Solution
Open a command prompt by right clicking and selecting "Run as Administrator", then run the command(s) again.

Root cause:
Problem in front of keyboard.

Thomas Hampel

 5 January 2015
Monitoring Domino servers via SNMP should be a simple task, if it would be documented properly.
There are quite a few blog posts out there on the internet such as this nice article by Detev Schuemann which unfortunately is in German.. So I'd like to provide an english translation with a few updates which in my opinion are valuable.

Background
Simple Network Management Protocol (SNMP) is a protocol for monitoring network devices such as routers, switches, servers, printers and much much more.
Vendors of a device are providing a definition of values which can be read or modified in form of a MIB (Management Information Base). Those values are called OIDs (object identifiers) and are ordered in a hierarchical structure.

MIB definitions for Domino can be found online http://www.oidview.com/mibs/334/NOTES-MIB.html
A MIB file for IBM Domino can be found in the Domino program directory and is called "domino.mib"
On a Linux server the file can be found here /opt/ibm/domino/notes/latest/linux/domino.mib

Step-by-step Instructions
For each Domino server which you want to monitor, you need to enable SNMP support, the following is a step by step description of what you need to do for a Domino server on Linux. Instructions for Windows are available here
Examples below are based on CentOS which is using yum as package manager. For other Linux distributions commands are slightly different, also path references shown in the example below might not be the same for you.

Step 1 - SNMP Master Agent
Although Domino its own snmp master agent, I recommend not to use it because the version supplied with Domino is the rather dated version 5.0.7.
Currently version 5.7.3 is the latest version available. Check the net-snmp change log to see what has changed between versions.
Obviously you should prefer using the operating system snmp master agent which comes preinstalled for a number of Linux distributions.
If not already installed, you can install the package net-snmp with the following command.

# yum install net-snmp

The library net-snmp-utils provides some additional tools like snmpwalk, which we will need later on for testing functionality

# yum install net-snmp-utils

To check the version you are running...

$ snmpwalk --version

Note: Current releases of CentOS and Redhat provide net-snmp version 5.7.2 by default.

Option B - NET-SNMPD v5.0.7 provided by Domino
Domino provides net-snmpd in version 5.0.7  - again, I do not recommend using this version.
However, if really want to use it enter these commands to copy the required files to the /etc directory and make sure the service is started after a reboot.

Note that in this type of configuration your settings are stoed in the file  /etc/net-snmpd.conf

Step 2 - Update Configuration
Back up the original config file to a location of your choice

cp /etc/snmp/snmpd.conf /root

Edit the file /etc/snmp/snmpd.conf . Modifying this file is only required if you are using the master agent provided by your OS.

# nano /etc/snmp/snmpd.conf

1.) Search for sysLocation and update it according to your needs as shown here:


2.) define a username/password combination for SNMP v3 authentication
Of course the user name and password used in this example are to be changed to fit your needs

createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES

3.) At the end of the same file, add this line:

smuxpeer 1.3.6.1.4.1.334.72 NotesPasswd

Dont forget to save the file

Step 3 - SNMP Startup Script
Although you could add /usr/sbin/snmpd as a service directly, its probably more useful to use a startup script.
Domino already provides such a script - you just need to modify the configuration so that it can be used.


Update the configuration (starting in line 31) as follows:

Make sure the startup script runs at next boot


Step 4 - Update Firewall Rules
SNMP requires UDP port 161 to be accessible, so you need to open this port on the local firewall.
Do not forget to open this port on any other firewall on your network which is between the monitoring server and your Domino server


Step 3 - Testing basic functions
Test basic SNMP functionality from the local host and also from a remote server.

# snmpwalk -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.2021.100.2.0

As a result you should get the version number of the SMTP master agent


Step 5 - Enable Domino SNMP Agent
Make sure LNSNMP will be started after a reboot. (Note: change the path to match your configuration!)

In case you get the error  "LOTUSDIR must be set in the environment or in this script." you need to update script so that it can find the path to your Domino server, e.g. LOTUSDIR=/opt/ibm/domino

if everything has worked out, starting the lnsnmp should provide the following output


Step 6 - Domino Tasks
Start the following tasks from the Domino server console

"quryset" is required to support SNMP queries
"intrcpt" is required to support SNMP traps for Domino events
"Collect" is required to support statistic threasold traps
Create a program document or add the tasks to the Notes.ini variable "ServerTasks=" so ensure they are started automatically after a server restart.

Step 7 - Testing Domino SNMP agent response
Now its time to test if we can access Domino objects via SNMP, e.g. by reading a single value.

$ snmpget -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.334.72.1.1.6.2.1.0

Should return the fully qualified Domino Server name as a string


Ok, you're done... the Domino SNMP Agent is configured and can be used.
However, there still is some work to be done on your SNMP management console e.g. Nagios ,FAN , Cacti (or whatever you are using) in order to monitor Domino via SNMP (for example, server down).

Next Actions:
If you like this post, please let me know via Twitter @ThomasHampel or by leaving a comment below. Please note that comments are moderated and wont show up before being approved.
Hint... configuring Nagios for Domino monitoring and configuring Cacti for trend analysis is subject of another blog post which I'm already working on.

Troublshooting

• Check snmpd.log for errors
  # cat /var/log/snmpd.log
• Error : refused smux peer: oid SNMPv2-SMI::enterprises.334.72, descr Lotus Notes Agent
  see IBM Technote 1313318
• Error - Unknown User
  Either a typo in the user name or you forgot to add the user to the snmpd.conf file in step 1, search the config file for something like this:
  createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES
• Error in packet. Reason: authorizationError (access denied to that object)
  The user exists and the password worked, but does not have access rights required. Check snmpd.conf to see if you have granted at least read only rights, search the file for a string like this:
  rouser SNMPv3UserName

Tools:
Take a look at Paessler SMTP Tester (Freeware / Windows)


Further reading:

• How to set up Domino and SNMP in Windows
• IBM Domino MIB - Notes-MIB (v1) Tree

Thomas Hampel

 17 December 2014
Believe it or not, English is not the only language on our planet...and the Notes client of course needs to provide spell checking capabilities for the most common languages.
For Notes v8.5.1 and above IBM provides dictionaries in XTAF format shipped in a ZIP file which can be installed via File\Applications\Install, but I dont want the average end user to do that alone.

Although the Notes Client installer package can be customized to include additional dictionaries, you probably have deployed the Notes Client already.
So how do you deploy additional dictionaries without building a new client package, preferably in a way that end users can self decide which dictionaires they would like to install?

Main idea is to use Widgets for allowing users to self install dictionaries they need by using a Widget Catalog and thw My Widgets sidebar of the Notes client.
Ok, lets get started...

Preparations

• Download the required dictionary files Passport Advantage
  Package is titled "IBM Notes XTAF Dictionaries V9.0", part numbers are :
  Mac=CIF0DML
  Linux=CIF6BML
  Windows=CIF0EML

Build an Eclipse UpdateSite for the XTAF dictionaires

• Extract the packages to a new temporary folder, once completed it should somewhat look like that:
  
• Now you would create one subfolder for each language and extract EACH of the ZIP files into its own folder, and unzip files one by one.
  If you dont like to do this yourself, just put the following batch file into the same folder and run it.
  unzipXTAFsites.cmd
  It will use 7zip (which you have installed hopefully) to unzip each file to its own subfolder
  
  Once completed you should have 23 subdirectories by now, each one should contain the following:
  
• Create a new NSF based Eclipse UpdateSite, a new one is recommended for not mixing up with other versions
  Make sure to set up a propper ACL, users should have read access only!
• Open the newly created database and use the button  to load each of the XTAF dictionaries into the Eclipse Update Site
  The result should look like this:
  

Creating Widgets

• If not already available, create a new Widget Catalog as described here
• In your Notes Client, start creating a Widget by clicking the icon "Getting Started with Widgets...."
  
• In the first dialog choose "Features and Plugins"
  
• Enter the URL for the update site.
  If you want the connection between the client and the server to use the Notes protocol, use "nrpc://" e.g.  "nrpc://your-servername/path/updatesitefilename.nsf/site.xml"
  if you want to use the HTTP protocol, use "http://" or "https://", e.g. "http://your-servername.domain.com/path/updatesitefilename.nsf/site.xml""
  Click on "Load" to see the list of available features to install.
  
• Select the language(s) you want to wrap into a widget, click Finish to create a widget.
  I do recommend one widget for each language, of course you can also wrap all at once into a single Widget or just use subset of available dictionaries.
  Note: You do not need to restart the Notes client when you are prompted.
• Within the Widget Sidebar of your Notes Client, choose the new widget and right-click it to publish the widget to the widget catalog
  
  Dont forget to add meaningful details in the new document so that your end users know what the widget provides.
  e.g. All Dictionaries for IBM Notes 9.0
  and in the details section of the widget, provide a meaningful text explaining how to install a widget, e.g.:
  The result should somewhat look like this:
  

What end users need to do to (manually) install a new dictionary  
When not using policies, end users need to...

• Click "File\Preferences\" and select "Widgets"
• Enable "Show Widget Toolbar..."
  
• This will show the new My Widget sidebar panel on the right hand side of the Notes client.
  
• Click the first icon  "Browse the Widget catalog"
• Open the widget catalog entry for the language(s) you want to install
• Drag & drop the file attachment "extension.xml" from the catalog into the "My Widgets" sidebar
  The Notes Client will now automatically install the dictionary files and will prompt to restart the Notes client.
  
• After restarting the Notes Client, additional dictionaries are available in "File\Preferences\Spell Check"
  

How to deploy dictionaries using Domino policies

• Within the Desktop Policy Settings, verify that you have specified the widget catalog server and filename
  
• In the same document, define a catagory which will be automatically deployed to end users, in this example it is "Autodeploy"
  You can of course use the category "Dictionaries" which you have defined when creating the widget itself but this will not allow to fine tune which dictionary to be pushed out.
  
• Back in the Widget Catalog, modify those widgets which you want to deploy and add the (new) category "Autodeploy" to each of them.
  
• Once done, the widgets/dictionaries will be deployed to your end users the next time they start the Notes client.

Conclusion
I know there are lots of other methods to roll out dictionaries, e.g. by using File\Application\Install , but I find this too complicated for average users.
Make sure to show the sidebar "My Widgets" to your users...
If you're using a desktop policy, check if you have set the parameter "Show the My Widgets panel in the sidebar:" set to "Yes" in the tab "Widgets" of the applicable policy settings document.

Reference:

• How to pack custom dictionary as XTAF plug-in and install it in Notes 8.5.x Standard
• Making Lotus Notes 8.5.1 and greater language spell check dictionaries available to users
• Deploying XTAF dictionaries to Notes clients via a Widget Catalog
• Microsoft Technet - FOR command

Thomas Hampel

 7 May 2014
Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....

When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see http://technet.microsoft.com/en-us/security/advisory/2661254


So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.
Continue Reading "The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino" »