Urs-o-Log – Page 37 – by Michael Urspringer

Danke der Nachfrage ….

… aber mein Leben besteht durchaus auch noch aus anderen Dingen als Lotus Quickr.

Bin allerdings derzeit ziemlich beschäftigt und in der verbleibenden Zeit hatte ich wenig Lust verspürt zu bloggen.

Aber soweit geht es uns gut. Letzte Woche haben wir unsere Indien-Erinnerungen bei Bollywood – The Show aufgefrischt und am Freitag haben wir Tränen gelacht bei Badesalz in Aschaffenburg.

Werde in Zukunft wieder versuchen außer Einträgen zu Quickr auch noch mal über andere Dinge zu schreiben … versprochen!

Configuring Domino LDAP Security with Quickr (J2EE)

While using the wizard to enable LDAP security for Lotus Quickr (J2EE) together with an Domino LDAP directory I alway got the message “Entity does not exist in directory”. although I checked every user, group and passwords used I did not find the problem.

[More:]

I better should have read the documentation in InfoCenter first. 🙂

There it is decribed how to create person documents for the administrative users.

For the user “wpsbind” e.g. you have to add a person document and enter “wpsbind” into the field “Last name”. Then, and this is the important thing, you have to enter “wpsbind/DominoDomainName” as the first entry and “wpsbind” as the second entry into the field “Username”.

Caution: It is a bit unclear in the documentation what “DominoDomainName” stands for: Sometimes you can read “DominoDomain is your Lotus Domino Internet domain” and sometimes it is “DominoDomain is your Lotus Domino Domain”. So, in fact, it is really the Domino domain name of the LDAP server what you have to add after the slash.

You then have to make sure that the full name “wpsbind/DominoDomainName” (or whatever user you created for this purpose) has at least reader access to the Domino directory on the Domino LDAP server. If you have more than one address book added via directory assistance make sure that this user has reader access to all of them. Otherwise, or if one of the address books is not available to the LDAP server when you enable security for Quickr, the wizard may fail with an LDAP error 50.

Within the wizard you enter all users with the following syntax “cn=username,o=DominoDomainName”.

If you follow this rules then the wizard should enable LDAP security without a problem.

Update:

On one of the wizard’s screens you have to enter the “Web server host name”. Please make sure that you really enter only the host name without a leading “http://” as it is described in the help for this page. Otherwise enabling security will fail (as last message you will see “Calling ContentModelInitializer” in enable-ldap-security.log).

Connect Lotus Quickr to LDAP based on Active Directory

Below you find the QPCONFIG.XML which I used at a customer site to connect Lotus Quickr (Domino Services) to an Active Directory LDAP source for authentication.

Although this configuration worked in my environment you might need to adapt some parts to fit in your environment (especially some of the LDAP attributes used). You easily can check what attributes are used in your environment with a freeware tool called “Softerra Ldap Browser“.

[codesyntax lang=”xml” title=”qpconfig.xml”]

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<server_settings>

<offline enabled="true" use_login_passwords="true" >

<name_translation enabled="true">
<from_directory_name>
<translate from="CN=(.+)/(.+)/DC=acme/DC=com" to="CN=\1/\2/O=acme_com" />
</from_directory_name>
<to_directory_name>
<translate from="CN=(.+)/(.+)/O=acme_com" to="CN=\1/\2/DC=acme/DC=com" />
</to_directory_name>
</name_translation>

</offline>

<super_user enabled="true">
<dn>CN=IT_WindowsServer_Admins,OU=acme (Organisation),OU=acme Groups,DC=acme,DC=com</dn>
</super_user>

<user_directory>

<ldap>

<base_dn>
<group>DC=acme,DC=com</group>
</base_dn>

<schema>

<ldap_is_active_directory enabled="false" />
<do_not_deref_for_groups enabled="true" />
<dn_delimiter robust_compare="false"/>
<dn_incoming_is_native enabled="true"/>
<secondary_cn_component enabled="true"/>
<maintain_escape_character enabled="false"/>

<object_class>objectClass</object_class>
<user>
<object_class_value>person</object_class_value>
<common_name>cn</common_name>
<display_name>cn</display_name>
<first_name>givenname</first_name>
<last_name>sn</last_name>
<email>mail</email>
<phone>telephoneNumber</phone>
</user>
<group>
<object_class_value>group</object_class_value>
<common_name>cn</common_name>
<display_name>cn</display_name>
<member>member</member>
</group>
</schema>

<search_filters>
<authentication>
<![CDATA[
(|(sAMAccountName={0})(cn={0}))
]]>
</authentication>
<user_lookup>
<![CDATA[
(&(objectclass=person)(sn={0})(givenname={1}))
]]>
</user_lookup>

<group_lookup>
<![CDATA[
(&(objectclass=group)(cn={0}))
]]>
</group_lookup>

<group_membership>
<![CDATA[
(&(objectclass=group)(member={0}))
]]>
</group_membership>

</search_filters>

<member_lookup_ui>

<column_name>
<person>sn, givenname</person>
</column_name>

<column_disambiguate>
<person>dn</person>
</column_disambiguate>

</member_lookup_ui>

<search_ui_hint>
<![CDATA[
( enter <B>last name, first name</B>)
0; ]]>
</search_ui_hint>

<search_ui_index>sn</search_ui_index>

</ldap>

</user_directory>

</server_settings>

100

101

102

103

104

105

106

107

108

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<server_settings>

<name_translation enabled="true">

<from_directory_name>

</from_directory_name>

<to_directory_name>

</to_directory_name>

</name_translation>

</offline>

<super_user enabled="true">

<dn>CN=IT_WindowsServer_Admins,OU=acme (Organisation),OU=acme Groups,DC=acme,DC=com</dn>

</super_user>

<user_directory>

<ldap>

<base_dn>

</base_dn>

<ldap_is_active_directory enabled="false" />

<do_not_deref_for_groups enabled="true" />

<dn_delimiter robust_compare="false"/>

<dn_incoming_is_native enabled="true"/>

<secondary_cn_component enabled="true"/>

<maintain_escape_character enabled="false"/>

<object_class>objectClass</object_class>

<user>

<object_class_value>person</object_class_value>

<common_name>cn</common_name>

<display_name>cn</display_name>

<first_name>givenname</first_name>

<last_name>sn</last_name>

<phone>telephoneNumber</phone>

</user>

<group>

<object_class_value>group</object_class_value>

<common_name>cn</common_name>

<display_name>cn</display_name>

<member>member</member>

</group>

</schema>

<search_filters>

<![CDATA[

(|(sAMAccountName={0})(cn={0}))

]]>

</authentication>

<user_lookup>

<![CDATA[

(&(objectclass=person)(sn={0})(givenname={1}))

]]>

</user_lookup>

<group_lookup>

<![CDATA[

(&(objectclass=group)(cn={0}))

]]>

</group_lookup>

<group_membership>

<![CDATA[

(&(objectclass=group)(member={0}))

]]>

</group_membership>

</search_filters>

<member_lookup_ui>

<column_name>

<person>sn, givenname</person>

</column_name>

<column_disambiguate>

</column_disambiguate>

</member_lookup_ui>

<search_ui_hint>

<![CDATA[

( enter <B>last name, first name</B>)

0; ]]>

</search_ui_hint>

<search_ui_index>sn</search_ui_index>

</ldap>

</user_directory>

</server_settings>

[/codesyntax]

In addition to the above configuration you need to add the root point of your LDAP tree (see above) in corresponding field in the Quickr Site Administration:

Quickr Directoiry Config

You also need to do some work to get the Quickr offline capability working with Active Directory. I will describe how to do this in a later post.

Update:

David Byrd has just published a very good article in the Quickr wiki regarding AD integration.

Lotus Quickr: “Create a place” link visible without logging in

At a customer site we did have the problem that the “Create a place” link of Lotus Quickr (Domino) was visible even if no user was logged into Quickr. So every user was able to create a place even if this functionality was restricted to special users/groups.

[More:]

In the database “….\lotusquickr\lotusquickr\main.nsf” there is a document with the title “Create a place”. In this document there is a field “h_Readers” which contains all users/groups which are able to create new places. This field contained, among other entries, also the entry “Anonymous”. Because of that the “Create a place” link is visible even if no user is logged in.

The question was why this field contained this entry. After some investigation I found out that Quickr adds all entries of the ACL of the MAIN.NSF to this field (and in addition all users and groups you add to “Who can create new places on this server?” within the Quickr site administration).

After deleting the “Anonymous” entry from the ACL (and in addition deleting it from the ACL of “CreateHaiku.nsf” too which also contained this entry) and then re-adding the persons and groups to “Who can create new places on this server?” again the field was populated correctly.

Afterwards the link to “Create a place” was no longer visible if no user was logged in.

~~Unfortunately I was not able to find out why the two databases did contain “Anonymous” in their ACLs. I am quite sure that we did not add these entries manually…~~

Update:

I just found out when “Anonymous” is added to the ACL: It happens every time you issue the command “load qptool upgrade -f -server” as you are e.g. doing when implementing a new hotfix.

The “Anonymous” entry in MAIN.NSF with reader access seems to be ok for me. But you should make sure that “Anonymous” has “No Access” in the database “CreateHaiku.NSF” in the LotusQuickr directory (it does not need to be deleted!).

Unattended installation of Lotus Quickr connectors

I was asked several times if there is an unattended installation available for the Lotus Quickr connectors please find here the link to a corresponding IBM technote which describes how to do that.

With an unattended (quiet) installation you should also be able to install Lotus Quickr connectors via your software distribution system even if your users do not have administrative rights on their machins.

I was not able to test it with a distribution system until now but did some tests with an unattended installation via the Windows scheduler task (running with an user who has admin rights) and this worked perfectly.

If you want to pre-configure connector settings (e.g. the name of your Quickr servers)you can do that by adding the corresponding registry keys which are saved under

[HKEY_CURRENT_USER\Software\IBM\Lotus Quickr\Desktop Integration\Servers]

Update [2009-02-19]:

After you perform a silent installation of the Lotus Quickr Connectors, the connectors are installed successfully but might not be listed in the Add/Remove programs list in Microsoft Windows. To resolve this issue, add the following switch to the command line for the silent install: ALLUSERS=2

Update [2009-10-22]:

See also this posting for upgrading an existing installation.

Auszeit …

Da der nächste Urlaub vermutlich erst im Juni sein wird (die derzeitige Planung sieht eine Rundreise durch den Norden von Portugal vor), nehmen wir nun noch mal eine kurze Auszeit (der Resturlaub muss ja auch irgendwie weg) und sind daher jetzt mal wieder für eine Woche in Lauterbad.

Gute Vorsätze …

… gibt es, wie üblich, hier bei mir keine … meistens werden sie ja doch nicht eingehalten.

Einen großen Jahresrückblick gibt es auch nicht. Es gibt eigentlich eh nur 2 Highlights in 2007: Unser erstes Jahr in der neuen Wohnung und mein Wechsel von IBM SO zur IBM Software Group. Beide Entscheidungen waren auf jeden Fall richtig und seit langem überfällig. In der Wohnung incl. dem Umfeld fühlen wir uns wieder richtig wohl und der Job macht auch wieder Spaß, was ja schon länger nicht mehr wirklich der Fall war.

In diesem Sinne hoffe ich mal, daß es auch in 2008 so weitergeht und wünsche allen, die ich in den letzten Tagen nicht getroffen, gesprochen oder geschrieben habe, einen guten Rutsch und ein frohes und glückliches Jahr 2008!

Faxen mit der Fritz!Box 7170

Seit einiger Zeit kann man über die Fritz!Box auch FAxe versenden, ohne dass man zusätzlich eine ISDN-Karte eingebaut haben muss.

Genaueres hierzu findet sich auf dieser Webseite.

Bei mir gab es aber nach der Installation der Software das Problem, daß die Faxsoftware nach dem Starten erst einmal eine Kunstpause eingelegt hat, während der sie die Fritz!Box im LAN gesucht hat. Nach einigen Minuten wurde die Box dann auch problemlos gefunden und die Software startete auch korrekt. Beim nächsten Aufruf war aber wieder Warten angesagt.

Um diese Wartezeit zu verhindern, habe ich folgenden Registry-Key eingetragen (und damit die IP-Adresse meiner Box der Software bekannt gemacht, damit sie nicht mehr suchen musste):

[HKEY_LOCAL_MACHINE\SOFTWARE\AVM\AVMIGDCTRL]
“FoundFritzBoxes”=”192.168.1.1”

Danach läuft nun alles ganz ohne Wartezeit ab und funktioniert auch einwandfrei.

Frohe Weihnachten

Allen Lesern meiner Seiten wünsche ich ein frohes und geruhsames Weihnachtsfest.

Dieses Jahr wird’s bei uns ganz sicher etwas ruhiger, da mich rechtzeitig zu den freien Tagen eine starke Erkältung erwischt hat und ich seit 3 Tagen schon im Bett stecke. Heute musste ich dann doch den ärztlichen Notdienst bemühen und mir eine Dosis Antibiotika abholen, da es eher schlimmer als besser wird.

Melde mich dann wieder, wenn ich einigermaßen auf dem Damm bin.

Lotus Quickr (Domino) Hotfix 6Hotfix 7

This time I just modify my last post from yesterday evening …. instead of Hotfix 6 it now reads simply Hotfix 7 🙂

This time I am a little bit late…. ~~Hotfix 6~~ Hotfix 7 for Lotus Quickr (Domino Services) is out since yesterday. BTW: There was no public Hotfix 5 as far as I know …

[More:]

In the hotfix documentation you now will also find some instructions what to do after applying the fix.

I am not sure if the comamnds are in the correct order as they write:
• Upgrade all the places and Placetypes:
load qptool upgrade -f –a
• Upgrade all the databases on the server:
load qptool upgrade -f –server
I am quite sure that you should do it the other way round (as it was decsribed in the past) but I am still trying to verify this.

They now have corrected the order in the readme of Hotfix 7.

In addition to the commands you have to run in the past you now should also unregister and register all places again afterwards:

load qptool unregister -a -placecatalog
load qptool register -a -placecatalog