views:

3650

answers:

1

For those who are not aware, Lotus Notes is a cool system, which has very powerful database replication abilities, and very strong certificate management and signing.

However that strong certificate usage is itself one of Notes's downfalls.

When you log in to Lotus Notes via a Notes client, the password you use is not stored anywhere, except as the encrypt/decrypt key to the Private Key stored in the Notes ID file on your local workstation.

What this means is that you can have 15 copies of this file, with 15 different passwords, and each one is valid, as long as you have the matching password.

For Identity Management systems, this is pretty crippling, as there is no server side component to access the password change event, rather it is entirely client based, and the server can barely even tell it happened!

The rumours I hear is that in later releases of Lotus Notes/Domino, this ID file based authentication is starting to change.

I am having trouble finding clear cut explanations for what is changing, how, and in what version. (8.5? 9? Later?)

Second part to this question is, what is happening in terms of Active Directory integration? I heard it rumoured that AD authentication might be allowed instead of ID file authentication. My guess on that aspect is that the ID file stored on the server will still be used for authorization, but the successful Active Directory authentication will be used to unlock access to it? Or is it some other model?

Looking for someones perspective who has figured this out already!

On a side note, there is a second password (httpPassword) that is used when Notes's Webmail is accessed, since of course the server has no access to the local ID file when the user authenticates. One assumes this is the model they would move to for other forms of authentication, but as we all know, assuming is a bad plan!

+3  A: 

Notes Domino 8.5 has the new ID Vault feature. It was released in early January.

ID Vault works by keeping a copy of the id securely on the server. It then provisions the id on demand to the user. This allows for a configuration where the user asks the server to reset the password and the server makes the change to the id file before downloading it the the user.

More info on ID Vault here:

A New Way to Manage Notes User IDs and Passwords (dominoblog.com)

Sneak peak - the Domino 8.5 id vault (pmooney.net)

Updated: 8.5 has been released.

kerrr
Ah darn it! I was so hopeful they would just do away with the ID certs all together. Bummer.
geoffc
I updated the question, adding a bit about the Active Directory authentication integration I have been hearing rumours about. Anything on that topic?
geoffc
My understanding is that with ID vault the id file can be provisioned such that it is transparent to the user. So the id file can be provisioned to you after entering the correct http password. Not sure what's happening with AD integration, but id vault makes transparent integration possible.
kerrr