Query results for : June 2012
Signing and deploying Eclipse Plugins into Notes Clients- 26 June 2012 - (2) Comments
Thomas Hampel
26 June 2012Installing Eclipse plugins in a Notes client is a simple task. I'm sure users would be even more happy if admins would sign them properly before rolling them out.
Otherwise, meaning when they are not signed, or if signed with an invalid signature, users will see messages like this:
For a quick and dirty solution it would be possible set some preferences in the plugin_customization.ini or in the Notes client so that it will not show these warnings at all.
Unfortunately this will lower the security of the entire environment and therefore is not recommended.
The better method is to sign the plugin properly with a self signed certificate and then create a trust relationship with a Domino root certificate.
So these are the actions that need to be performed:
1.) Extract the Eclipse update site you want to sign to a temporary location on your hard disk
2.) Detach this command file to the same folder location where the file "site.xml" is located
signupdatesite.cmd
3.) Edit the file and customize the settings according to your needs - see remarks within the file.
4.) Run the .cmd file
5.) Save a copy of the .keystore,
6.) Import the new certificate (.cer) into the Domino server
7.) Create a cross-certificate from the internet certificate
8.) Publish the certificate to clients through security policy settings
9.) Create a new NSF based Eclipse update site and import the local update site from the temporary location (see step 1)
10.) Create a widget catalog
11.) Create a new widget using the Toolbar icon "Getting started with Widgets" and choose "Features and Plugins"
12.) Add the widget created to the widget catalog created in step 10 and don't forget to define a meaningful title and category. (e.g. Autoinstall) if you want the widget to be applied automatically. See next step for details.
13.) In the Domino Directory update the Desktop policy settings to include the newly created Widget catalog
All together it will allow automatically distributing plugins in the Notes client without error messages and without overall lowering security.
Well, one prompt remains....
QuickR - How to count the number of registered users?- 14 June 2012 - (0) Comments
Thomas Hampel
14 June 2012Lets assume an IBM QuickR environment where all users are allowed to access the Domino server that QuickR runs on.
How would an administrator report the number of users?
Using the log.nsf is not the right place, because users leave a trace there just by accessing (e.g.) the Domino directory, but not QuickR.
A better way is to use the QuickR Place Catalog (placecatalog.nsf) on your Quickr server. It's design is set to not show up in the Open Database dialog, so you either need to type in the filename or use the Admin client to open it up.
It contains a view named "Total Places By Member" which will show the total number of quickr users across all places including those with Anonymous access, all categorized by user name.
So to identify the number of QuickR users, collapse everything in this view so that you can see the first category only.
What you can see is member number and the user name
Now scroll down to the last entry in this view - the last number displayed there is the total number of unique users.
Be aware:
- If there are places which grant access to a group, then groups displayed in this view need to be resolve recursively
- If Anonymous access is enabled , special licensing rules apply
If anyone would like to do this automatically, here is some LotusScript code which might help.
%REM
Agent Count number of registered QuickR Users
Created Jun 14, 2012 by Thomas Hampel
Description:
A simple agent to report QuickR user names - feel free to modify
%END REM
Option Public
Option Declare
Const QuickRServer$ = "Domino-Name-Of-QuickR-Server"
Const QuickRPlaceCatalog$ = "PlaceCatalog.nsf"
Const QuickRViewName$ = "TotalPlacesByMember"
Const NABServer$ = "Domino-Name-Of-QuickR-Server"
Const NABFilename$ = "names.nsf"
Dim userlist List As boolean
Sub Initialize
Dim nab As New NotesDatabase (NABServer$, NABFilename$)
Dim PlaceCatalog As New NotesDatabase (QuickRServer$, QuickRPlaceCatalog$)
Dim view As NotesView
If Not NAB.IsOpen Then
Print "Unable to open Domino Directory : " & NABServer$ & " - " & NABFilename$
end
End If
If Not PlaceCatalog.Isopen then
Print "Unable to open QuickR PlaceCatalog : " & QuickRServer$ & " - " & QuickRPlaceCatalog$
End
End If
'# load all elements into list object
Set view = PlaceCatalog.getView (QuickRViewName$)
Call LoadNamesFromView (view)
'# resolve membership
Call ResolveGroupMembers
'# output result
Print "Total number of unique users is " & CountUsers()
'# Anonymous access...
If IsElement (userlist ("anonymous")) Then
Print "Anonymous access to one or more places is ENABLED"
Else
Print "Anonymous access to one or more places is DISABLED"
End If
End Sub
Function LoadNamesFromView (View As NotesView)
Dim doc As NotesDocument
Dim tDoc As NotesDocument
Dim usernameArray As variant
Dim usercount#
'# exit if the view is not valid
If view Is Nothing Then Exit Function
view.AutoUpdate = False
Set doc = view.getFirstdocument
While (Not doc Is Nothing)
Set tdoc = view.getNextDocument (doc)
If doc.isValid Then
usernameArray = Evaluate (|@Unique(@Trim(PlaceOwners : PlaceManagers : PlaceEditors : PlaceAuthors : PlaceReaders))|, doc)
ForAll u In usernameArray
'# add name to list of unique users
userlist (u)= True
usercount# = usercount + 1
End ForAll
End If
Set doc = tdoc
Wend
Print "Found " & usercount# & " entries across all places."
End Function
Function expandGroupNames(GroupName As String, GroupMemberArray As Variant) As Boolean
on Error GoTo errorHandler
expandGroupNames = False
If Len(Trim$(GroupName)) = 0 Then
GoTo functionExit '# if no name is passed, don't even try to resolve the group name
End If
'# Undocumented @Formula from http://www-304.ibm.com/support/docview.wss?uid=swg21101582
'# Input from http://www.dominoguru.com/pages/01202009030630.html
GroupMemberArray = Evaluate(|@ExpandNameList("| & NABServer$ & |":"| & NABFilename$ & |";"| & GroupName$ & |")|)
GroupMemberArray = ArrayUnique(GroupMemberArray, 5)
If UBound(GroupMemberArray) = 0 Then
'# if there's only one group member, check to see if it's valid
if StrCompare(GroupMemberArray(0), GroupName$, 5) = 0 Then
'# if the only member found is the group name itself, the group couldn't be resolved
GoTo functionExit
End If
End If
expandGroupNames = True
functionExit:
Exit Function
errorHandler:
MsgBox "Error " & Err & ": " & Error & " at line " & Erl & " of " & GetThreadInfo(1) & ".", , "Error encountered!"
Print "Error " & Err & ": " & Error & " at line " & Erl & " of " & GetThreadInfo(1)
Resume functionExit
End Function
Function ResolveGroupMembers As Integer
Dim GroupMemberArray As Variant
'# loop all users found
ForAll user In userlist
'# try to resolve the existing list entry
If expandGroupNames (ListTag(user), GroupMemberArray) Then
ForAll members In GroupMemberArray
'# add the new name to the list
userlist (members) = true
End ForAll
End If
End ForAll
End Function
Function CountUsers As Long
Dim count&
ForAll user In userlist
count& = count + 1
End ForAll
Countusers = count&
End Function
Bug in DominoBlog template- 12 June 2012 - (0) Comments
Thomas Hampel
12 June 2012For some reason it wasnt possible to use embedded images within blog postings, looking at the HTML source of the resulting web page showed that some piece of HTML code was inserted when saving the document.
After some debugging, I figured out that it was caused by the scriptlibrary "DXNotesContentProcessing" where the function "autoCreateLinks" is the one to be looked at.
autoCreateLinks(strIn As String) As String
Function
If configdoc.config_createlinks(0)="Create Links" Then
'Search for text and replace with link
autoCreateLinks=strIn
Dim view As notesview
Dim docLink As NotesDocument
Set view=db.getview("vLinksDesc")
Set docLink=view.GetFirstDocument
Do Until docLink Is Nothing
If Instr(autoCreateLinks," "+docLink.linktext(0)+" ")>0 Then
autoCreateLinks=R5replaceSubstring(autoCreateLinks," "+docLink.linktext(0)+" ",{ <a href="}+docLink.link(0)+{" title="}+docLink.linktext(0)+{">}+docLink.linktext(0)+{</a> })
End If
Set docLink=view.GetNextDocument(docLink)
Loop
Else
autoCreateLinks=strIn
End If
End Function
This function is used to replace a piece of text with the URL configured for it. Its using the links from "Configuration\Links" to search for any entry where the field "Link Text" is matching the HTML string.
Bad luck if one created links like this one, where no link text is specified:
which causes the function above to search for the occurance of 2 spaces " ", which unfortunately is true for embedded images... actually they are located directly behind the tag.
Workaround
- Turn off "Auto Create Links from Link List" located in the configuration document of the blog under "Site Settings\Content Creation"
- Make sure that all links in "Configuration\Links" are created with a propper link text
What about a permanent fix?
Modify the form "Link" and add an input validation formula to the field "linktext" as shown below.
ID Vault - Error 03:11- 8 June 2012 - (0) Comments
Thomas Hampel
8 June 2012When deploying the IDVault, administrators may see the following error in the Log.nsf of the server hosting the IDVault.
06/08/2012 04:54:18 PM ID failed to upload to vault 'O=XYZ-IDVault'. 'Firstname Lastname/OU/O' (IP Address a.b.c.d:port) made request. Error: 03:11
06/08/2012 04:59:16 PM Unable to find ID for 'Firstname Lastname/OU/O' in vault 'O=XYZ-IDVault'. Error: 03:11
Root cause for this is a pending name change reuqest which was not applied to the user. Take a look into the person document of this user, especially the tab "Administration",
the Client Information section will display if there are any pending name change requests outstanding.
Technically the name change request is stored in a field called "ChangeRequest", supported by "ChangeRequestDate" which is storing the date/time of when this request was initiated.
In my particular case, the name change request was almost 3 years old and it was not possible to find out what has caused this request to still appear in the system.
Workaround:
Remove both fields (or set them to an empty value) e..g. by using the Change Any Field method
Passthru configuration done right- 2 June 2012 - (2) Comments
Thomas Hampel
2 June 2012I'm wondering why some customers are not using Passthru - a function which exists in Notes/Domino for years.
From an infrastructure point of view, a Domino passthru server is nothing else than a special reverse proxy for Notes/Domino. Compared to normal reverse proxy servers it is providing an higher level of security due to the fact that authentication/authorization is using the NotesID for authentication and not relying on username/password
I've seen customers who create multiple location documents and tell end users to switch between them to force the usage of passthru. Personally I dont think that this is what end users expect, so here is a configuration which will use the passthru server automatically when it can not find a direct connection.
To efficiently use an existing passthru server, Notes Clients should be configured the following way:
1.) Create a server connection document in the personal address book of the Notes Client pointing to the passthru server name and its IP address(or DNS name)
2.) Create another connection document, of type "passthru" which is used for */Org , where Org is the root certifier of your organization.
important for this one is to set the usage priority to "Low" as shown in this picture
Once completed, its time for testing the connection.
Advanved options:
When using multiple passthru servers, its possible to put an IP sprayer or load balancer in front of them, so all servers are addressable with the same DNS name.
Typically a Notes client will reject connecting to a server that is using a different name than the one requested.
No need to worry, because Technote 1233210 already provides the solution.
On each of the Domino passthru servers behind the network sprayer you can add NETWORK_SPRAYER_ADDRESS=sprayer to notes.ini. Where "sprayer" is supposed to be a comma separated list of acceptable names or IP addresses of the load balancer.
Result :
If the Notes Client is within the corporate network it will directly connect to the target Domino server, but if the direct connection fails it will try to use the next available passthru server.
Can’t contact LDAP server- 1 June 2012 - (0) Comments
Thomas Hampel
1 June 2012Authenticating Domino users against a remote LDAP is nothing new. Some people have blogged about it or created a presentation already.
Furthermore there are some good articles out there explaining the implementation of AD Authentication, Directory Integration and SPNEGO.
When you're done with the configuration, things may run smooth first, but after a few days authentication may not work any longer.
Restarting the server might help, but only for a short time frame - the reason for that is a bug in the Domino server referenced as SPR# AJMO8NVM8F where Domino seems not to find the remote LDAP server any longer.
Steps to reproduce:
1. Enable the following debug parameters:
Debug_DirectoryAssistence=1
WebAuth_Verbose_Trace=1
LDAPDEBUG=512
2. After some time, Domino may become unable to contact the remote LDAP server
The error message displayed at the console is the following:
LDAP> connect_to_host: EndPoint connect failed: The remote server is not a known TCP/IP host.
LDAP> Unable to chase references (Can't contact LDAP server)
This issue has been documented in LO66491 http://www-304.ibm.com/support/docview.wss?uid=swg1LO66491
It seems the problem still exists in Domino 8.5.3 with FixPack1. so if you run into this problem, open a PMR to get an hotfix.
A temporary workaround is to issue the command "show xdir reload" at the server, which can also run as a scheduled program document every 30min.
It wont fix the issue itself, but will reload directory assistence tables by which the error state will reset back to normal.