none
Lotus Domino Connector - Unable to provision user RRS feed

  • Question

  • Hi all,

    I have a small problem using the Lotus Domino Connector. I can not get FIM to provision a user (International user, with and ID stored as an attachement) in Domino. Also I can not activate the logs on the connector. I have tried to follow these threads:

    http://social.technet.microsoft.com/wiki/contents/articles/21086.how-to-enable-etw-tracing-for-fim-2010-r2-connectors.aspx
    http://social.technet.microsoft.com/Forums/en-US/dbeeb280-4c2a-492f-9d5a-0c14d340ae0c/lotus-domino-connector-logging?forum=ilm2

    And for the config of the connector itself this one: https://msdn.microsoft.com/en-us/library/hh859750%28v=ws.10%29.aspx

    This is my config:

    - FIM 2010 R2 SP1

    - Lotus domino 8.5.3 HF6

    - Lotus domino client 8.5.3 HF6 install in single mode on the FIM box

    - Lotus Domino Connector build: 1.0.597.910

    I am using the Portal for my sync rules.

    I have activated the verbose logging on the DOMINO Server and I can see a connection made to the server by FIM but no provisionning.

    The connector gives me this error in the stack trace: Notes Error: Access to Data Denied.

    I am using an admin account, who is in the LocalAdmins Group on the domino server (I have check with a Notes admin and everything looks perfectly fine on the DOmino side).

    Also as mentionned I have been trying to activate the logging of the connector but without success. I have seen that I need to use ETW tracing, I have followed the instructions on the tehcnet site, I got the Source Name (connectorLog) however I do not know the ETW GUID (I have tried many GUID's with no success).

    I was wondering if anyone could lend me a hand to activate logging and provision a user. For information an update of the user in the domino directory works fine.

    Also I was wondering if someone had already succeded in making the connector work for provisioning.

    Thanks for your help.

    Sylvan


    • Edited by Zoltar00 Wednesday, January 20, 2016 8:17 AM
    Tuesday, January 19, 2016 9:44 AM

Answers

  • Hi Guys,

    Got it finally working for users for access is denied error. Happens that I had forgotten to specify the attribute _MMS_IDPath in the export flow. Added it and it works, the ID files are created in the Madata folder and created in Notes.

    Still haven't got any luck to activate the tracing on the Notes connector. If anybody as got a hint it would be great.

    Hope this helps anyone.

    Thanks

    Sylvan

    • Marked as answer by Zoltar00 Saturday, August 6, 2016 10:51 PM
    Saturday, April 16, 2016 10:06 PM

All replies

  • Hi all,

    I have a small problem using the Lotus Domino Connector. I can not get FIM to provision a user (International user, with and ID stored as an attachement) in Domino. Also I can not activate the logs on the connector. I have tried to follow these threads:

    http://social.technet.microsoft.com/wiki/contents/articles/21086.how-to-enable-etw-tracing-for-fim-2010-r2-connectors.aspx
    http://social.technet.microsoft.com/Forums/en-US/dbeeb280-4c2a-492f-9d5a-0c14d340ae0c/lotus-domino-connector-logging?forum=ilm2

    And for the config of the connector itself this one: https://msdn.microsoft.com/en-us/library/hh859750%28v=ws.10%29.aspx

    This is my config:

    - FIM 2010 R2 SP1

    - Lotus domino 8.5.3 HF6

    - Lotus domino client 8.5.3 HF6 install in single mode on the FIM box

    - Lotus Domino Connector build: 1.0.597.910

    I am using the Portal for my sync rules.

    I have activated the verbose logging on the DOMINO Server and I can see a connection made to the server by FIM but no provisionning.

    The connector gives me this error in the stack trace: Notes Error: Access to Data Denied.

    I am using an admin account, who is in the LocalAdmins Group on the domino server (I have check with a Notes admin and everything looks perfectly fine on the DOmino side).

    Also as mentionned I have been trying to activate the logging of the connector but without success. I have seen that I need to use ETW tracing, I have followed the instructions on the tehcnet site, I got the Source Name (connectorLog) however I do not know the ETW GUID (I have tried many GUID's with no success).

    I was wondering if anyone could lend me a hand to activate logging and provision a user. For information an update of the user in the domino directory works fine.

    Also I was wondering if someone had already succeded in making the connector work for provisioning.

    Thanks for your help.

    Sylvan


    Hi guys,

    Any solution? 

    Thanks for your help

    Sylvan

    Thursday, January 21, 2016 7:53 AM
  • Hi all,

    Anybody got any ideas?

    I have tried to find the GUID of the provider using xperf, but the only GUID I find is the Synchronization engine GUID. I have tried this GUID, I do receive some information but not the data from the Notes MA.

    Any pointers would be really appreciated.

    Thanks

    Sylvan

    Monday, February 1, 2016 3:49 PM
  • Hi Guys,

    Finally got it to work. 

    It was simply a version mismatch. DOMINO Server was vers 8.5.3 FP6 and cNotes client on the FIM box was 8.5.3 FP2

    Upgraded notes client to FP6 and it works.

    Hope this helps someone.

    Cheers,

    Sylvan

    • Marked as answer by Zoltar00 Thursday, February 4, 2016 3:32 PM
    • Unmarked as answer by Zoltar00 Wednesday, April 13, 2016 10:38 PM
    Thursday, February 4, 2016 3:32 PM
  • Hi Guys,

    Finally got it to work. 

    It was simply a version mismatch. DOMINO Server was vers 8.5.3 FP6 and cNotes client on the FIM box was 8.5.3 FP2

    Upgraded notes client to FP6 and it works.

    Hope this helps someone.

    Cheers,

    Sylvan

    Hi Guys,

    I am reopening this case because it seems not to work again. I have still the same issue, I can not provision a user to Lotus.

    This is for a customer and I just can't figure out why it does not work.

    I have upgraded to the latest version of the Lotus Domino Connector and followed the instructions as mentioned in this post: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-connector-domino/

    I have currently got the  DOMINO server in version 8.5.3FP6 as well as the Lotus Notes client running on the FIM Machine. My version of FIM2010R2 is: 4.1.3671.0

    I can import the users fine. I can update them if they existe in the names.nsf, however I can not create a new user, even a contact does not get created. 

    When I run the export profile, I get the following error:

    System.Runtime.InteropServices.COMExceptionSystem.Runtime.InteropServices.COMException (0x80040FA5): Notes error: Access to data denied. (Bond)
       at Domino.IRegistration.RegisterNewUser(String pLastn, String pIdfile, String pServer, String pFirstn, String pMiddle, String pCertpw, String pLocation, String pComment, String pMaildbpath, String pForward, String pUserpw, String pAltName, String pAltLang, USER_TYPE type)
       at Microsoft.IdentityManagement.MA.LotusDomino.NotesClientWrapper.DominoPerson.RegisterUser(IDictionary`2 person, Context exportContext)
       at Microsoft.IdentityManagement.MA.LotusDomino.Core.Person.Add(CSEntryChange csentry, Context exportContext, List`1 listChangeResult)
       at Microsoft.IdentityManagement.MA.LotusDomino.Core.Person.ExportEntry(CSEntryChange csentry, Context exportContext, List`1 listChangeResult)

    However if I stick an audit file in the export run profile I get the following error:

    System.Collections.Generic.KeyNotFoundExceptionSystem.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
       at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
       at Microsoft.IdentityManagement.MA.LotusDomino.NotesClientWrapper.DominoPerson.GetCertifierPasswordKey(IDictionary`2 person, Context exportContext)
       at Microsoft.IdentityManagement.MA.LotusDomino.NotesClientWrapper.DominoPerson.RegisterUser(IDictionary`2 person, Context exportContext)
       at Microsoft.IdentityManagement.MA.LotusDomino.Core.Person.Add(CSEntryChange csentry, Context exportContext, List`1 listChangeResult)
       at Microsoft.IdentityManagement.MA.LotusDomino.Core.Person.ExportEntry(CSEntryChange csentry, Context exportContext, List`1 listChangeResult)

    I have got verbose logging on the DOMINO server and I can see a connection being made and the search done in the names.nsf, however the adminP process is not firing here is XML of the exported data:

    <?xml version="1.0" encoding="UTF-16"?>
    <mmsml xmlns="http://www.microsoft.com/mms/mmsml/v2" step-type="export">
      <directory-entries>
    <delta operation="add" dn="CN=James Bond,O=BOLET,NAB=names.nsf">
     <primary-objectclass>Person</primary-objectclass>
     <objectclass>
      <oc-value>Person</oc-value>
     </objectclass>
     <attr name="EmployeeID" type="string" multivalued="true">
      <value>A010188</value>
     </attr>
     <attr name="FirstName" type="string" multivalued="true">
      <value>James</value>
     </attr>
     <attr name="FullName" type="string" multivalued="true">
      <value>CN=James Bond,O=BOLET,NAB=names.nsf</value>
     </attr>
     <attr name="InternetAddress" type="string" multivalued="true">
      <value>James.Bond@bolet.me</value>
     </attr>
     <attr name="LastName" type="string" multivalued="true">
      <value>Bond</value>
     </attr>
     <attr name="MailDomain" type="string" multivalued="true">
      <value>BOLET</value>
     </attr>
     <attr name="MailFile" type="string" multivalued="true">
      <value>MAIL\Jbond.nsf</value>
     </attr>
     <attr name="MailServer" type="string" multivalued="true">
      <value>CN=DOMINO/O=BOLET</value>
     </attr>
     <attr name="ShortName" type="string" multivalued="true">
      <value>Jbond</value>
     </attr>
     <attr name="_MMS_Certifier" type="string" multivalued="false">
      <value>O=BOLET</value>
     </attr>
     <attr name="_MMS_IDRegType" type="integer" multivalued="false">
      <value>0x2</value>
     </attr>
     <attr name="_MMS_IDStoreType" type="integer" multivalued="false">
      <value>0x1</value>
     </attr>
     <attr name="_MMS_Password" type="string" multivalued="false">
      <value>Passw0rd</value>
     </attr>
     <attr name="_MMS_UseAdminP" type="boolean" multivalued="false">
      <value>true</value>
     </attr>
    </delta>
    <delta operation="add" dn="CN=Eva Longoria,O=BOLET,NAB=names.nsf">
     <primary-objectclass>Person</primary-objectclass>
     <objectclass>
      <oc-value>Person</oc-value>
     </objectclass>
     <attr name="EmployeeID" type="string" multivalued="true">
      <value>A010187</value>
     </attr>
     <attr name="FirstName" type="string" multivalued="true">
      <value>Eva</value>
     </attr>
     <attr name="FullName" type="string" multivalued="true">
      <value>CN=Eva Longoria,O=BOLET,NAB=names.nsf</value>
     </attr>
     <attr name="InternetAddress" type="string" multivalued="true">
      <value>Eva.Longoria@bolet.me</value>
     </attr>
     <attr name="LastName" type="string" multivalued="true">
      <value>Longoria</value>
     </attr>
     <attr name="MailDomain" type="string" multivalued="true">
      <value>BOLET</value>
     </attr>
     <attr name="MailFile" type="string" multivalued="true">
      <value>MAIL\A010187.nsf</value>
     </attr>
     <attr name="MailServer" type="string" multivalued="true">
      <value>CN=DOMINO/O=BOLET</value>
     </attr>
     <attr name="ShortName" type="string" multivalued="true">
      <value>A010187</value>
     </attr>
     <attr name="_MMS_Certifier" type="string" multivalued="false">
      <value>O=BOLET</value>
     </attr>
     <attr name="_MMS_IDRegType" type="integer" multivalued="false">
      <value>0x2</value>
     </attr>
     <attr name="_MMS_IDStoreType" type="integer" multivalued="false">
      <value>0x1</value>
     </attr>
     <attr name="_MMS_Password" type="string" multivalued="false">
      <value>Passw0rd</value>
     </attr>
     <attr name="_MMS_UseAdminP" type="boolean" multivalued="false">
      <value>true</value>
     </attr>
    </delta>
      </directory-entries>
    </mmsml>

    I have been at this for some time and I can not get it to work. Also I still can not get the tracing to work, any ideas on how I can activate the logging. I knwo that the source is ConnectorsLog but how do I initialize the data. If anyone has got any ideas and can help me with these two problems I would appreciate it.

    This is quite urgent, thanks for your help.

    Sylvan

    Wednesday, April 13, 2016 11:00 PM
  • Hi Guys,

    Got it finally working for users for access is denied error. Happens that I had forgotten to specify the attribute _MMS_IDPath in the export flow. Added it and it works, the ID files are created in the Madata folder and created in Notes.

    Still haven't got any luck to activate the tracing on the Notes connector. If anybody as got a hint it would be great.

    Hope this helps anyone.

    Thanks

    Sylvan

    • Marked as answer by Zoltar00 Saturday, August 6, 2016 10:51 PM
    Saturday, April 16, 2016 10:06 PM