Lotus Notes, ID files, and how things are changing in new versions (8 and up)

geoffc picture geoffc · Nov 20, 2008 · Viewed 18.7k times · Source

For those who are not aware, Lotus Notes is a cool system, which has very powerful database replication abilities, and very strong certificate management and signing.

However that strong certificate usage is itself one of Notes's downfalls.

When you log in to Lotus Notes via a Notes client, the password you use is not stored anywhere, except as the encrypt/decrypt key to the Private Key stored in the Notes ID file on your local workstation.

What this means is that you can have 15 copies of this file, with 15 different passwords, and each one is valid, as long as you have the matching password.

For Identity Management systems, this is pretty crippling, as there is no server side component to access the password change event, rather it is entirely client based, and the server can barely even tell it happened!

The rumours I hear is that in later releases of Lotus Notes/Domino, this ID file based authentication is starting to change.

I am having trouble finding clear cut explanations for what is changing, how, and in what version. (8.5? 9? Later?)

Second part to this question is, what is happening in terms of Active Directory integration? I heard it rumoured that AD authentication might be allowed instead of ID file authentication. My guess on that aspect is that the ID file stored on the server will still be used for authorization, but the successful Active Directory authentication will be used to unlock access to it? Or is it some other model?

Looking for someones perspective who has figured this out already!

On a side note, there is a second password (httpPassword) that is used when Notes's Webmail is accessed, since of course the server has no access to the local ID file when the user authenticates. One assumes this is the model they would move to for other forms of authentication, but as we all know, assuming is a bad plan!

Answer

Kerr picture Kerr · Nov 21, 2008

Notes Domino 8.5 has the new ID Vault feature. It was released in early January.

ID Vault works by keeping a copy of the id securely on the server. It then provisions the id on demand to the user. This allows for a configuration where the user asks the server to reset the password and the server makes the change to the id file before downloading it the the user.

More info on ID Vault here:

A New Way to Manage Notes User IDs and Passwords (dominoblog.com)

Sneak peak - the Domino 8.5 id vault (pmooney.net)

Updated: 8.5 has been released.