Community

Product DocsMenu

Creating and Validating a Notes Security Mapping File Using Notes Security Resolution Tool

Resolution methods are expressions that dictate how Windows usernames are formed from the Notes user's fields in the Domino address book. Use resolution methods whenever Notes user account names follow a specific pattern enabling a mapping pattern to be applied between users. The user account name pattern can be formed of string constants, fields from the Domino address book and regular expressions. Resolution methods can be particularly useful when you have a large address book.

Note: When you need more than one resolution method to map all your users, enable the Allow Multiple Resolution Methods parameter in the Notes security provider configuration page (see Configuring an IBM Notes Security Provider).

The NotesSecurityResolutionTool.exe command line tool that comes with CES can perform different operations to help you create and validate the security mapping file when using resolution methods.

Important: Whenever the security mapping file is modified, you have to restart the Notes security provider by clicking Apply Changes in the Modify Security Provider page of the Administration Tool. Otherwise, your security modifications will not be reflected in CES.

To create and validate a Notes security mapping file using the Notes security resolution tool

  1. Understand how to design resolution methods.

    Example: Resolution methods look like the following: 

    <?xml version="1.0" encoding="utf-8" ?> 
<SecurityMapping> 
  <ResolutionMethods> 
    <ResolutionMethod MethodName="FirstAndLastNames"> 
      <Format>domain\{firstNameArg}{lastNameArg}</Format> 
        <Arguments> 
          <Argument Name="firstNameArg">%[FirstName]</Argument> 
          <Argument Name="lastNameArg">%[LastName]</Argument> 
        </Arguments> 
    </ResolutionMethod> 
    <ResolutionMethod MethodName="FirstLetterLastName"> 
      <Format>domain\{firstLetterArg}{lastNameArg}</Format> 
          <Arguments> 
          <Argument Name="firstLetterArg"RegEx=".*\b(\w)">%[FirstName]</Argument> 
          <Argument Name="lastNameArg">%[LastName]</Argument> 
        </Arguments> 
  </ResolutionMethod> 
    <ResolutionMethod MethodName="DomainFirstAndLastNames"> 
       <Format>{domainArg}\{firstLetterArg}{lastNameArg}</Format> 
        <Arguments> 
          <Argument Name="domainArg">%[COVEO_ServerDomain]</Argument> 
          <Argument Name="firstLetterArg"RegEx=".*\b(\w)">%[FirstName]</Argument> 
          <Argument Name="lastNameArg">%[LastName]</Argument> 
        </Arguments> 
    </ResolutionMethod> 
  </ResolutionMethods> 
 </SecurityMapping>

    The first resolution method node (<ResolutionMethod></ResolutionMethod>) combines the first name (%[FirstName]) and last name (%[FirstName]) fields of IBM Notes users to form the corresponding Windows users. The syntax %[Field] identifies a specific field from the current Notes user in the Domino address book. For example, the current Notes user being mapped is John Smith. Its corresponding Windows user will be domain\JohnSmith.

    The second resolution method node uses a regular expression to extract the first letter from the first name field of Notes users. It also uses the last name field, just like the first resolution method node does. If the first method fails while trying to map the user John Smith, the Windows user being mapped will be devdomain\JSmith.

    The last method is almost identical to the second one, except that the domain name used to form Windows users is taken from the COVEO_ServerDomain field (%[COVEO_ServerDomain]). This is a special Coveo field with a value corresponding to the name of the current Domino server. If the second method fails and the current Domino server from which Notes users are extracted is named domino8.corp.domain.com; hence, the Windows user being mapped will be domino8.corp.domain.com\JSmith.

  2. Open a text editor.

  3. In a text editor, depending on your use case, write a basic file with a single resolution method.

    Example: Your file content should look like the following: 

    <?xml version="1.0" encoding="utf-8" ?>  
 <SecurityMapping>  
   <ResolutionMethods>  
     <ResolutionMethod MethodName="FirstLetterLastName">  
       <Format>domain\{firstLetterArg}{lastNameArg}</Format>  
           <Arguments>  
           <Argument Name="firstLetterArg"RegEx=".*\b(\w)">%[FirstName]</Argument> 
           <Argument Name="lastNameArg">%[LastName]</Argument>  
         </Arguments> <ResolutionMethod MethodName="FirstLetterLastName">  
    </ResolutionMethod> 
   </ResolutionMethods>  
  </SecurityMapping>

  4. Save the file with an XML extension (.xml) and remember the file path.

  5. Open Command Prompt.

  6. In Command Prompt, reach the folder where CES.NotesSecurityResolutionTool.exe is installed.

    Note: The tool is located in the Coveo Enterprise Search 7\Bin\Win32 folder, for instance C:\Program Files\Coveo Enterprise Search 7\Bin\Win32.

  7. Optionally, list all available fields for a Notes user by adapting the following command line to match your needs (see Notes Security Resolution Tool References): 

    Coveo.CES.NotesSecurityResolutionTool.exe /s:[MyDominoServer] /id:"[IDFilePath]" /p:"[SecurityMappingFilePath]" /o:"[OutputFilePath]" /t:"[ToolTemporaryFilesPath]" /show+

    For the /p:<string> parameter, enter the complete path to the file created in step 3.

    If your command line is valid, the tool will ask you to enter the password for the ID file you used.

    Note: The output contains all available fields and their values. If needed, use this as a reference to design new resolution methods.

  8. Optionally, generate a complete report about the resolution method(s) in the basic file created in step 3 by adapting the following command line to match your needs (see Notes Security Resolution Tool References): 

    Coveo.CES.NotesSecurityResolutionTool.exe /s:[MyDominoServer] /id:"[IDFilePath]" /p:"[SecurityMappingFilePath]" /show- /xml- /o:"[OutputFilePath]" /t:"[ToolTemporaryFilesPath]"

    For the /p:<string> parameter, enter the complete path to the file created in step 3 or updated in step 7.

    If your command line is valid, the tool will ask you to enter the password for the ID file you used.

    Note: For each resolution method, the report file (output file generated by the /o:<string> parameter) lists all Windows users that were either successfully or unsuccessfully mapped from Notes users. Ensure that all the users that you want to map are validated in the report. If not, review your resolution method(s), before proceeding to step 9.

  9. Generate a complete security mapping file starting with a single resolution method:

    1. In a text editor, design a new resolution method with the information obtained in step 7 and step 8, or open the basic file created in step 3.

    2. Under the closing ResolutionMethods node, add an empty DirectMappings node (<DirectMappings></DirectMappings>).

    3. Save the file.

    4. In Command Prompt, use the following command line adapted to your needs (see Notes Security Resolution Tool References): 

      Coveo.CES.NotesSecurityResolutionTool.exe /s:[MyDominoServer] /id:"[IDFilePath]" /p:"[SecurityMappingFilePath]" /show- /xml- /o:"[OutputFilePath]" /t:"[ToolTemporaryFilesPath]" /im- /vm+

      For the /p:<string> parameter, enter the complete path to the file created in step 3 or the modified file in step 7 or step 8 depending on your case.

      If your command line is valid, the tool will ask you to enter the password for the ID file you used.

      Note: For each successful user mapping (a corresponding Windows user was found for the Notes user being currently processed), a DirectMapping node is created and appended to the output XML file (generated by the /o:<string> parameter). By using DirectMapping nodes rather than ResolutionMethod nodes, validation is not required by the security provider and therefore processing them is much faster.

    5. In a text editor:

      1. Open the output XML file.

      2. Copy all the direct mapping nodes (<DirectMapping></DirectMapping>) generated by the tool.

      3. Create a new file and paste the direct mapping nodes between security mappings nodes (<DirectMappings></DirectMappings>) in another XML file.

        Example: Your security mapping file should look like the following: 

        <?xml version="1.0" encoding="utf-8" ?> 
<SecurityMapping> 
  <DirectMappings> 
    <DirectMapping> 
      <Lotus>John Smith</Lotus> 
      <Windows>domain\jsmith</Windows> 
    </DirectMapping> 
    <DirectMapping> 
      <Lotus>Jack Johnson</Lotus> 
      <Windows>domain\jjohnson</Windows> 
    </DirectMapping> 
  </DirectMappings> 
</SecurityMapping>

      4. Save the file in the Coveo Enterprise Search 7\Config folder, for instance C:\Program Files\Coveo Enterprise Search 7\Config.

      5. Enter the path to this file in the Security Mapping File Path box in the Notes security provider creation page (see Security Mapping File Path).

Notes Security Resolution Tool References

The following are the available parameters in the tool:

Parameter Long form Required Short form Description
Server Name /ServerName:<string> /s:<string> Domino server that contains the Global address book database.
User ID File Path /UserIdFilePath:<string> /id:<string> Complete path of the user.id file. If not specified, the default data path of the current IBM Notes installation is used.
Security Mapping File /SecurityMappingFilePath:<string> /p:<string> Complete path to the basic file containing your resolution method(s).
Output File Path /OutputPath:<string> /o:<string> Complete path to the output file. Format can be either text or XML, depending on the XmlOutput parameter.
Temporary Path /TempPath:<string> /t:<string> Folder used by the tool to store its temporary files.
IBM Notes Data Path /NotesDataPath:<string>   /d:<string> Complete path to the Data folder of the current IBM Notes installation.
IBM Notes Settings File Path /NotesINIFilePath:<string>   /ini:<string> Complete path to the Notes Settings file (notes.ini). To be used with a multi-user Notes install.
Show fields for user /ShowFieldsForUser[+|-]   /show[+|-] When the show+ option is used, the tool lists the metadata fields available for IBM Notes users directly in the command prompt. The security mapping file is not validated. Default value is show-.
Xml Output /XmlOutput[+|-   /xml[+|-] Whether a new XML security mapping file is output. When the xml- option is used, a report file is used. Use this in combination with the two following parameters. Default value is xml-.
Include Valid Securities /IncludeValidSecurities[+|-]   /vm[+|-] Outputs or not (vm-) the valid user mappings found using the resolution methods as new DirectMapping nodes inside the XML output file (Xml Output parameter must be activated). Default value is vm+.
Include Invalid Securities /IncludeInvalidSecurities[+|-]   /im[+|-] Output or not (im-) the invalid user mappings found using the resolution methods as new DirectMapping nodes inside the XML output file (Xml Output parameter must be activated). Default value is im-.

 

 

People who viewed this topic also viewed