I am looking for best practice recommendations. The situation:
User environment is still 6.5. Servers have been upgraded to 12.0.2, and we want to implement ID Vault to facilitate most users going to Nomad.
We have backup ID files with known (default) passwords, so can do a bulk upload via .csv
However, the passwords on the Vault IDs will not match those that users are currently using in production.
What is the most convenient way to reconcile this? Do we need to tell everybody their default passwords, and ask them to change them afterward, or is there a cleaner/smoother way?
Notes and windows passwords are not synchronised.
Im not sure, but i think if you set up an id vault policy for the purpose, the user id should get uploaded in the id vault on next notes client login.
Try playing around with the id vault policy and this may work...
But if clients are still on 6.5 it may not work as the id vault possibly came in with 8.5
Enforce password change after password has been reset can also be tried.. in the policy document
As you say, it will not work with 6.5 clients, hence the need to upload via .csv.
I did think of enforcing password change, but to do that the user will first need to know the password of the uploaded, file, surely?
i havent tried it, but i guess the password he needs to know will be the one set on his id file he owns and which was used to login to notes client.
But 6.5 might still be an issue..
6.5 just means we cannot load the files from the Notes client. It will have to be by .csv. The password he will need to know will certainly be the one stored in the vault - Nomad has no knowledge of the one on his local drive.
If this appch is a no go then only solution is an administrative one and not technical. Work out a method of collecting current userids with current password from users and upload those id files via that csv file handling script. In any case you would be a trusted person since you are already being trusted with the bulk of the old id files. To collect current id files , inotes might be an option ( havent given a thought to the details and the vintage of inotes) else you could create a new nsf with requisite security where users are required to upload their id files as a one time action. It is messy but you need to weigh the options considering the risks and the compulsions..you may delete this repsitory once all is done and dusted
Hello @Andrew Brew You can configure ID Vault and upload user IDs to the vault. You can refer to this product document Uploading user IDs to a vault manually This will provide a backup of the user's ID files.
Now, when passwords on Notes client IDs become different from the passwords on the IDs in the ID vault, synchronization of ID information between clients and the ID vault stops. You can enable automatic restarting of synchronization when the passwords get out of sync. Refer to this Maintaining ID file synchronization
You may refer to this document to know in detail "How an ID vault works".
Hello.
ID vaulting was implemented in Notes/Domino 8.5. Therefore, Notes 6 users are not automatically uploaded into the identity vault.
An administrator must know their password in order to upload to the vault on their behalf.
For example, how about the following method?
1. all users change their ID password to "password"
2. all users send their ID files to the administrator.
3. the administrator uploads the ID file to the vault
It may not be a very good method, but, I have not found any other useful method..
Regards,
Shigemitsu Tanaka
Thank you, Sigemitsu, but the reason I mentioned 6.5 was to make it clear that we cannot load IDs automatically from the client.
We have IDs with known passwords, but I cannot find a better solution than telling everyone their default passwords and asking them to change them after they first log on.
If you are doing something like this I would strongly recommend against using "password", or any default password known to all. That is an invitation to identity theft!
Hello @Andrew Brew ,
Considering the security concerns to have default password for all user IDs in vault, If the Domino servers are in AD domain and user's are login to their windows machines though their AD credentials, I suggest enabling IDvault password sync with the windows AD introduced in Domino V12.0.1.
reference:
https://help.hcl-software.com/domino/12.0.2/admin/conf_adsync_password_sync.html
After implementing the AD password sync, once users change their windows passwords, then the newly set password by users would be updated to user IDs in the vault database.
So that the users can login to Nomad using their windows password.
This would address security concerns related to disclosing of default ID passwords to users.
Best regards,
Chaitanya Y