Thursday, May 22, 2025

My IQ has gone up thanks to Engage

Engage just finished. The first one is under new management, and it is in safe hands.

I don't think I have ever seen Theo so happy with a big grin on his face the whole time. Tom and Kris did really well for their first time out. And they told us next year Engage will be in Belgium.

I had to miss last year's due to the timing and circumstances of the war at home, so it was great to talk to everyone. Thank you all for asking about the situation and the family. It means a lot.

The star attraction was Domino IQ, which adds AI to the core product. As an Admin, all I can say about this is that you will need to spend time building this out properly if you want to move beyond the basic regurgitation of your knowledge base or other internal documents. Also, IQ needs some extra hardware and configuration, so be prepared and read the what's new and requirements docs. Your developers will be busy.

It will be available starting with v14.5, which is coming out June 17! IQ is part of your license if you are under CCB Term(I believe). If you are a perpetual license org, this is your incentive to change licensing plans.

I was happy to see friends from past Engage shows, and in some cases people I hadn't seen in many years. Yes, we all got older, but we still have fun together.

There was a tease of Notes.Next but it is far from prime time ready so don't ask about it yet.

Roadmap sessions were broad with partial timelines for new items.

One thing that also stood out is the added accessibility to all the products which need to be up to certain laws soon and so that is taking over a lot of dev time.

As an Admin, I want to let everyone know to go get Cormac's slides from his session. His session was filled with great ideas and details about cleaning up your administrative items, and as he said, even old admins can learn something new, which I did about SMTP failover routing.

His blog is here, and hopefully, he will post his slides there or at the Engage website.

Lastly, the Lotus brand might return for at least one product. Or not. While this was from Richard Jefts' opening keynote, later on, other HClers implied the name may not stay.
I will leave the debate about the brand to others, as both sides of the argument have their validity.

I was also in some partner/ambassador/HCL Roundtable sessions, which I can't say much about, but there are plans that will help the partners in the long run, which in turn will help you, the customers.

I think my own session scared a lot of people, but I hope it also helped them rethink how they and their teams interact with upper management and budget committees. My slides will not be posted, and I don't publish my Competitive Intelligence info. I will probably make a second blog post about it over the weekend.

Safe travels home everyone, talk to you soon or see you, at least virtually, some time soon.


Tuesday, August 20, 2024

SnTT - Does TOTP Work for users in a Secondary Directory via DA

TOTP, DA, and Domino

For the last 3 years, I have worked with TOTP inside HCL Domino and customers with unique requirements.

This has provided fodder for my blog, and today, we have a new entry into the TOTP Mystical Ways of the World.

Let me state my usual caveat upfront: TOTP is about the URL, not the server, the database, or the user.

You enable TOTP for each URL you want on your server.

PSA is completed. Let's discuss the circumstances that brought me here.

Like many of our customers, a customer has a large external user community relying on their applications.

The customer has licensed this with HCL, so I am not going to get involved in that discussion. However, be warned: It is not a comfortable one if you have been relying on some old licensing options and now fall under the new ones.

We have about 7,000 external customers. Some are undoubtedly old customers, but 7,000 is a lot of people.

Previously, I wrote about how to bulk add these people into your ID Vault, and that was all fine and good where we have only one names.nsf for everyone and everything. We may have had 2-3 servers in that org.

Now, the 7,000 are in a secondary external names.nsf via DA (Directory Assistance).

The Problem

1) How do you register and maintain the people in a secondary Directory?

2) Does the DA even work with TOTP? 

The Options I See

Officially, there is only one place, and one place only, where everyone gets registered: the names.nsf.

This is not very helpful, especially given the reliance on the ID Vault for many things these days. By changing licenses, there is no way to "convert non-ID people to Notes ID people."

What do you do?

1) Copy, not replicate, the name.nsf, to extnames.nsf, move the actual names.nsf out of the way, rename extnames to names and then register everyone to it. Once done, put back the original names.nsf and off you go.

As pointed out in our Openntf.org Discord channel, the problem with this is that the user and ID would not be properly found for encryption/certification. This is a very valid point I wasn't thinking about at first. Thank you, Ulrich and Detlev.

2) register all 7,000 into the names.nsf properly, like normal. Then, manually copy the 7,000 to the extnames.nsf. Then delete, just regular delete, not Adminp delete, the 7,000 from the names.nsf.

By doing this, we preserve the user's encryption/certification, and should a name need to be renamed/edited, we can copy the user back and fix it. One could also just create a new account etc.. and remove the bad one from extnames.nsf.

3) Create a new Domain and register everyone to it and cross certify it with the existing domain. This may or may not be the answer as well, depends on circumstances.
4) I have no other idea otherwise. However, there is an AHA idea asking HCL to think about a way to register people to some other .nsf. Take a look and vote over here

If anyone has any ideas, let me know in the comments.

I will get to the DA question shortly.

Details and Planning

I started with my blog post and the CSV file I needed with 4 test users.

Copied the 4 test users from the extnames.nsf to the names.nsf.

Went to register the users, verified information etc..

And got this error: "The user's flat name matches another user with a different hierarchical name."

You should know that I ran into a bug in the Notes Admin and Domino Server v12.0.2, which you can read about here. Upgrading the client/server is the basic answer to resolve this one. Since Domino was already at 14.0FP1, my Notes Admin client had yet to be updated. 

Once updated, everything went as it should.

Well, only some things. 

I need to do more testing, but I think the "just updating an existing user" registration option is not working properly because I now have 2 completely different entries for each test user. 

My theory is the existing users being "unregistered web users" with "other mail" were not seen as the same people, and so Domino created the new entries. I know the ways to work around this if it is the case, but more testing will validate what I need to do. After all i will have 7,000 to update, fixing one manually is fine, but all of them? For that, I have my Openntf Admin Snippets to help me. I will blog about this after testing is completed.

In any event, I copied the 4 people out of names.nsf, put them in the extnames.nsf, and reindexed both directories as it was testing time.

Testing TOTP and DA

Ready for testing, I turned on TOTP in the Security setting, edited the domcfg.nsf for the test URL, and checked that the extnames.nsf was enabled in the DA, then restarted Domino.
When Dominno comes up, everything looks okay. I open a browser, put in the URL, and see the login screen with the MFA details. So far, so good.
The first test is my own log-in. I am in the names.nsf, and my ID is in the ID Vault. I passed, and there are no issues.
Log in as one of the new test users for the second test. Invalid password.
It seems, and this may be a customer agent, that the users are not supposed to have a web password. I added there password back, it was in my CSV, and reindexed and tried again.
Different error. User not found type error.
I was logging in as FirstName LastName, which is how I logged in, but there is only one record of me, but 2 of the test users. I logged in with the Org domain name and got one step closer, this time it just crashed on me.
Ok, I cleared the browser cache, restarted Chrome, and tried again.
This time I received a invalid access error.
This is important because the HCL documentation does not say anywhere that the DA will work with TOTP on its own. It only discusses the DA via Cross-Domain Authentication, as you can see here.
I looked at how the DA was set up and changed the Group Authorization setting to Yes from No.

Made sure Trusted for Credentials in the Naming Contexts tab was set to YES.
Then I tried it again.
And it worked this time. I was prompted to set up the MFA and log in as the extnames test user.

Conclusion

I still have more procedures to test and document, but the ability to leverage TOTP in a secondary directory via DA is not a limitation for the rollout.