Password synchronization on HCL Domino

baoussounda · September 12, 2024, 1:58pm

We have a question about password synchronization on HCL Domino.

We installed PW and created a Sync Group for password synchronization between Active Directory and LDAP, HCL Domino.

After testing, we observed that when a password is changed, PWI detect and send it to ISC, the Sync Group in ISC successfully initiates synchronization across different sources.

We’re not sure if ISC is sending the correct password to HCL Domino.

Questions :

• Could you please confirm if the HCL Domino change password provisioning policy is applied when the ISC synchronizes passwords ?
• Below is the default configuration for the change password policies:

• If the policy is applied, what configurations need to be made ?

baoussounda · September 13, 2024, 8:10am

Hi @vju11,

Do you have an idea password synchronization on HCL Domino ?

I see the following section in documentation Update Policies (sailpoint.com)

And i update change_password provisioning policies like this :

And when password is changed on Active Directory, PWI catch it and send it to ISC and we observed in Account Actitity that the password is successfuly syncrhronized:

But when we try connect with new password in HCL Domino, it doesn’t work and the last change password date is not updated.

baoussounda · September 16, 2024, 1:40pm

@colin_mckibben @colin_mckibben can you please tell us how we can address this kind of connectors specific questions ?

May we create support ticket ?

colin_mckibben · September 16, 2024, 2:17pm

If you are not getting any responses in the forum, you can submit a support ticket or engage with Expert Services.

originalmths · September 16, 2024, 2:50pm

Hi Ousmane,

Has ID Vault been configured in HCL Domino?
To change your password, you must have IDVault configured.

originalmths · September 16, 2024, 2:51pm

originalmths · September 16, 2024, 2:54pm

Just refactoring one point.

It is necessary to validate which type of password should be updated in HCL Domino:

Internet Password

ID Password

There are two objects that can be understood as passwords in HCL Domino.

To change the password in the HCL Domino user’s .ID file, you must have configured the ID Vault. If the password you want to change is the Internet Password, the IDVault is not necessary.

baoussounda · September 16, 2024, 2:57pm

Hi @originalmths,

We want to change this two password

Did you update password currently in your environment ?

How we can configure ID Vault Functionnalities ?

originalmths · September 16, 2024, 2:59pm

If the idea is to update these two objects:

Internet Password
ID Password

Since Sailpoint is changing the ID Password, the application (HCL Domino) must have IDVault configured.

And yes, we have implemented this password change process and it is working.

originalmths · September 16, 2024, 3:00pm

And the policy type is not “CHANGE_PASSWORD”, but “UPDATE”. Sailpoint documentation is poorly documented for this connector.

baoussounda · September 16, 2024, 3:03pm

In Domino Server Side ID Vault is already configured and we want to know which king of configuration must be performed into ISC.

Do you use any update policies ?

originalmths · September 16, 2024, 3:03pm

baoussounda · September 16, 2024, 3:09pm

I will try this update policy.

I also have this following change password policy which exist natively on HCL domino :

in your case do you use this policy ?

originalmths · September 16, 2024, 3:12pm

No, This policy is not triggered. Never.

The password change process is done via IQService, that is, the IQService step must be configured in the source.

It is essential that the IQService is 32-bit.

In addition, there must be an administrator .ID in the folder.

Here in this step you will enter the path where the administrator .ID is stored. This .ID will be used for the IQService to authenticate to HCL Domino and perform the password reset.

baoussounda · September 16, 2024, 3:16pm

Thank you @originalmths

I try to to modify this update policy several time and it never work.

We already have an IQ Service 32bit and Domino client admin installed.

For the administrator ID filte path where this file must copied ? Domino server or IQ Service ?

originalmths · September 16, 2024, 3:17pm

Administrator .ID must be stored on the IQService machine.

baoussounda · September 16, 2024, 3:19pm

And in ISC i can give path like : “C:\program files\Notes\adminfile.id” ?

originalmths · September 16, 2024, 3:21pm

Yes.

For example:

C:\SailPoint\IQService\administrator.id

baoussounda · September 16, 2024, 3:37pm

This file is mandatory ?

I cnnot found it

originalmths · September 16, 2024, 3:42pm

Do you know the account you configured to perform HCL Domino integration?

Admin Name
Admin Password

There is a .ID file for this service account, this .ID should be stored in IQService.

Topic		Replies	Views
IdentityNow password interceptor activity report ISC Discussion and Questions identity-security-cloud , password-management , reports	3	342	April 21, 2024
Password Interceptor for Microsoft Active Directory - New Release and Deprecation Updates Product News identity-security-cloud , feature-deprecation	0	819	January 31, 2024
Managing Password Sync Groups - SailPoint Identity Services ISC Discussion and Questions apis , identity-security-cloud	2	49	October 25, 2024
Password interceptor questions IIQ Discussion and Questions identityiq , password-management	4	498	June 3, 2024
LCM Multiple Password Policies with Mutually exclusive rules IIQ Discussion and Questions workflows , identityiq , provisioning	2	232	March 19, 2024

Password synchronization on HCL Domino

Related topics