Skip to main content

Configuring agtgdmno

The Domino server script agent (agtgdmno) uses a configuration file that is specified as part of target system address. It has the following form:

"" "" = {
  "<operation_1>" "" = {
     ....
  }
  "<operation_2>" "" = {
     ....
  }
  .
  .
  .
  "<operation_N>" "" = {
     ....
  }
}

where the supported operations are:

  • change Changes the password for an account, from a known current value to a desired new value. If the application supports the concept of intruder lockout, then the intruder lockout counter is cleared and the account unlocked. If the application supports the concept of password expiry, then the expiry date is set according to the expiry policy of the application.

  • reset Administratively resets an account’s password to a new value. If the application supports the concept of intruder lockout, then the intruder lockout counter is cleared and the account unlocked. If the application supports the concept of password expiry, then the expiry date is set according to the expiry policy of the application. Disabled accounts will remain disabled.

  • adminverify Checks if a given password is the correct, current password for an account without triggering an intruder lockout if the password is not correct.

  • verifyreset Verifies if the account’s password matches the new password, and if the verification fails, administratively sets it to the new password. If the verification succeeds, then the reset is not necessary, and the operation returns success.

  • resetexpirepw Administratively resets an account’s password to a new value and expires the account’s new password, so that the user is forced to change his password the next time he logs in.

  • expirepw Expires an account’s password.

  • ispwexpired Checks if an account’s password is expired.

  • unexpirepw Unexpires an account’s password.

  • list List users, groups, and/or attributes,each one defined as a KVGroup inside of list.

  • verify Checks if a given password is the correct, current password for an account. If the application supports the concept of intruder lockout and the verification fails, the intruder lockout counter is incremented.

  • userattributes Lists attributes for a specified account.

  • isenabled Checks if an account is enabled.

  • enable Enables an account.

  • disable Disables an account.

  • rename Renames an existing account’s short ID.

  • create Creates a new account on the target system. This operation creates the account (possibly using a template for some attribute values), then sets other attribute values – including the password for the new account.

    This operation should return the group ID.

  • delete Deletes an existing account on the target system. The typical behavior is to first ensure that the account being deleted exists.

  • update Updates attributes for an existing account.

    This operation should return the group ID.

  • expireacct Expires an account.

  • isacctexpired Checks if an account is expired.

  • unexpireacct Unexpires an account.

  • lock Locks an account (sets the intruder lockout).

  • unlock Unlocks an account (clears the intruder lockout).

  • islocked Checks if an account is locked.

  • groupuseradd Adds an account to a group.

    This operation must return a status.

  • groupuserdelete Removes an account from a group.

    This operation must return a status.

  • movecontext Moves an account to a new context or location on a context-sensitive target. This operation should return the account’s long ID and short ID.

  • groupcreate Creates the specified group.

  • groupdelete Deletes the specified group.

How the file is configured depends on whether the target system database is names.nsf or a generic Domino database. Guidelines for creating the configuration file are provided for both scenarios. A sample configuration file (agtgdmno.cfg) is provided in the <instance>\samples\ directory.

If you cannot find the sample file, try re-running setup to modify your installation. Sample files are automatically installed with complete (typical) installations. You can select them in custom installations.

The agtgdnmo.cfg file must be saved in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory with UTF-8 encoding.

Configuring agtgdmno for use with a names.nsf database

You must configure the following items in the configuration file:

  • List operations

  • LotusScript agent operations

Configuring list operations

List operations are programmed into agtgdmno ; they are not handled by a LotusScript agent. The form of the KVGroup for list operations for a names.nsf database is:

"list" "" = {

   "user" "" = {
      "database"          = "<Domino server>!!names.nsf"
      "view"              = "People"
      "sort-column"       = "Name"
      "search-field"      = "Name"
      "longid-field"      = "FullName"
      "shortid-field"     = "ShortName"
      "first-name-field"  = "FirstName"
      "middle-name-field" = "MiddleName"
      "last-name-field"   = "LastName"
      "type-field"        = "Type"
      "type-value"        = "Person"
   }

   "group" "" = {
      "database"          = "<Domino server>!!names.nsf"
      "view"              = "Groups"
      "sort-column"       = "Groups"
      "search-field"      = "ListName"
      "groupid-field"     = "ListName"
      "member-field"      = "Members"
      "description-field" = "ListDescription"
   }

    "attribute" "" = {
      "attribute"         = "groups"
      "attribute"         = "<attribute name 2>"
       .
       .
      "attribute"         = "<attribute name N>"
   }
 }

In order to list groups, the group KVGroup must be defined and one of the attributes must be set to "groups". In order to list other attributes, the attribute must be added to the attribute KVGroup as follows:

   "attribute" "" = {
     "attribute"          = "groups"
    "attribute"          = "<attribute name 2>"
      .
      .
     "attribute"          = "<attribute name N>"
   }

where <attribute name#> is the name of a field in the names.nsf database; for example, <attribute name 2> could be replaced with ShortName. Add a key value to the attribute KVGroup for each attribute that you want to list.

By default, a generic Domino target has no defined attributes, so for each attribute listed in the attribute KVGroup, you must add a matching attribute to the target. See Account attributes in the Bravura Security Fabric configuration documentation to learn how to do this.

Configuring LotusScript agent operations

You must add a KVGroup for each LotusScript agent operation that has been defined using the following form. The KVGroup must be named using the the correct agent operation (see page Configuring agtgdmno ).

"<Agent Operation>" "" = {
   "agent-name"           = "<LotusScript agent name>"
   "agent-database"       = "<Domino server>!!names.nsf"
   "agent-form"           = "<Agent database form>"
   "agent-statistics"     = "<yes/no option for outputting
                              the log information from LotusScript agent>"
}

Configuring agtgdmno for use with generic Domino databases

You must configure the following items in the configuration file:

  • List operations

  • UserAttributes operation

  • LotusScript agent operations

Configuring list operations

List operations are programmed into agtgdmno; they are not handled by a LotusScript agent. The form of the KVGroup for list operations for a generic Domino database is:

"list" "" = {

 "user" "" = {
   "database"          = "<Domino server>!!<target database>.nsf"
      "view"              = "<Target database view>"
      "sort-column"       = "<Field which the view is sorted on>"
      "search-field"      = "<Name of the field to search on>"
      "longid-field"      = "<Long ID field>"
      "shortid-field"     = "<Short ID field>"
      #The full name field does not need to be specified if
      #first-name-field and last-name-field are specified
      "fullname-field"    = "<Full name field>"
      #The first-name-field, middle-name-field, and last-name-field
      #do no need to be specified if the fullname-field is
      #specified.
      "first-name-field"  = "<First name field>"
      "middle-name-field" = "<Middle name field>"
      "last-name-field"   = "<Last name field>"
      "type-field"        = "<Type field>"
      "type-value"        = "<Type value>"
   }

   "group" "" = {
      "database"          = "<Domino server>!!<target database>.nsf"
      "view"              = "<Target database view>"
      "sort-column"       = "<Field which the view is sorted on>"
      "search-field"      = "<Name of the field to search on>"
      "groupid-field"     = "<Group ID field>"
      "member-field"      = "<Group members field>"
      "description-field" = "<Group description field>"
   }

   "attribute" "" = {
      "attribute"         = "groups"
      "attribute"         = "<attribute name 2>"
       .
       .
      "attribute"         = "<attribute name N>"
   }
 }

By default a generic Domino target has no defined attributes, so for each attribute listed in the attribute KVGroup, you need to add a matching attribute to the target. See Account attributes in the Bravura Security Fabric configuration documentation to learn how to do this.

Configuring UserAttributes operation

The UserAttributes operation is programmed into agtgdmno . It is not handled by a LotusScript agent. The form of the KVGroup for the UserAttributes operation for a generic Domino database is:

"userattributes" "" = {

    "user" "" = {
      "database"          = "<Domino server>!!<target database>.nsf"
      "view"              = "<Target database view>"
      "sort-column"       = "<Field which the view is sorted on>"
      "search-field"      = "<Name of the field to search on>"
      "longid-field"      = "<Long ID field>"
      "shortid-field"     = "<Short ID field>"
      #The full name field does not need to be specified if
      #first-name-field and last-name-field are specified
      "fullname-field"    = "<Full name field>"
      #The first-name-field, middle-name-field, and last-name-field
      #do no need to be specified if the fullname-field is
      #specified.
      "first-name-field"  = "<First name field>"
      "middle-name-field" = "<Middle name field>"
      "last-name-field"   = "<Last name field>"
      "type-field"        = "<Type field>"
      "type-value"        = "<Type value>"
   }
   

   "group" "" = {
      "database"          = "<Domino server>!!<target database>.nsf"
      "view"              = "<Target database view>"
      "sort-column"       = "<Field which the view is sorted on>"
      "search-field"      = "<Name of the field to search on>"
      "groupid-field"     = "<Group ID field>"
      "member-field"      = "<Group members field>"
      "description-field" = "<Group description field>"
   }
   

   "attribute" "" = {
      "attribute"         = "groups"
      "attribute"         = "<attribute name 2>"
      ....
      "attribute"         = "<attribute name N>"
   }
}

By default a generic Domino target has no defined attributes, so for each attribute listed in the attribute KVGroup, you need to add a matching attribute to the target. See Account attributes in the Bravura Security Fabric configuration documentation to learn how to do this.

Configuring LotusScript agent operations

You must add a KVGroup for each LotusScript agent operation that has been defined using the following form. The KVGroup must be named using the correct agent operation. See Configuring agtgdmno .

"<Agent Operation>" "" = {
   "agent-name"           = "<LotusScript agent name>"
   "agent-database"       = "<Domino server>!!<agent database>.nsf"
   "agent-form"           = "<Agent database form>"
   "agent-statistics"     = "<yes/no option for outputting
                              the log information from LotusScript agent>"
}
In this section: