DIRECTORY SERVICES


Directory assistance and client authentication
To authenticate a user who is accessing a database on an IBM® Lotus® Domino® server via any of the supported Internet protocols -- Web (HTTP), IMAP, POP3, or LDAP -- a server can look up the users' credentials in a directory that is configured in its directory assistance database. Servers can use X.509 certificate security or name-and-password security for the authentication.

To allow a server to use a directory for Internet client authentication that is configured in a directory assistance database, do the following in the Directory Assistance document for the directory:


For example, if your organization registers Web users in a foreign LDAP directory, when a Web user attempts to access a database on a Domino Web server, the server can connect to the remote foreign LDAP directory server to look up the user name and password to do the authentication.

Directory assistance and client authentication

Note A server's primary Domino Directory is always enabled for client authentication. This is true even if you create a Directory Assistance document for the primary Domino Directory and do not select "Make this domain available to: Notes clients and Internet Authentication/Authorization."

Note You use an Internet Site document or the Ports - Internet Ports tab of the Server document to control the types of client authentication an Internet protocol server allows.

Names accepted for name-and-password authentication

If a server uses name-and-password security to authenticate Internet clients, you select the types of names that the server can accept from clients. On the Security - Internet Access tab of the Server document in the primary Domino Directory, select "More name variations with lower security" or "Fewer name variations with higher security" (the default). The selection applies to name and password authentication using any directory, including the primary Domino Directory.

Though a server can accept a name other than a distinguished name from a client to search for a user's entry in a directory, it is always the user's distinguished name in the directory entry that the server compares to trusted rules in the Directory Assistance document to determine whether to authenticate the client. For example, suppose a user is registered in a directory with the distinguished name cn=alice browning,o=Acme, but the user configures the name alice browning on the client. During authentication, the server searches for an entry that contains the name alice browning. When it finds the entry, it can only authenticate the client if "cn=alice browning,o=acme" matches a trusted naming rule for the directory.

A user's distinguished name is also used as the basis for access control in Domino, so you should use users' distinguished names in database ACLs, in groups used in database ACLs, in access lists in Server documents, and in Web server File Protection documents.

Encountering duplicate names during client authentication

If a server finds more than one directory entry containing the name presented by the client that corresponds to a valid distinguished name for authentication, within one directory or across directories, the server authenticates the client using the entry with the valid password or X.509 certificate. If more than one such entry has a valid password or X.509 certificate and the same distinguished name, the server authenticates the user using the first password or X.509 certificate it finds.

Consistent client names and passwords across protocols

If Domino servers authenticate a client over more than one Internet protocol, for ease of directory administration, create one directory entry for the client with one name and password that applies to all the protocols. Then set up the client to use the same name and password for all protocols.

For example, if a client connects to Domino over HTTP for Web browsing and over LDAP for directory services, create one directory entry for the cllient with a name and password, and set up the client to use the name and password for both types of connections.

Features available for client authentication using a remote LDAP directory

The following features are available specifically for client authentication using a remote LDAP directory:


Notes client authentication

By default, when a server authenticates an IBM® Lotus® Notes® client it does not use information in Domino Directory Person documents. However, if you enable the option "Compare Notes public keys against those stored in Directory" on the Basics tab of the server's Server document, the server authenticates a Notes user only if the public key presented by the Notes client matches the public key in the user's Person document.

If a Notes user who connects to a server to authenticate is registered in a secondary Domino Directory rather than the server's primary Domino Directory, and the "Compare Notes public keys against those stored in Directory" option is enabled for the server to which the user connects, you must select the option "Make this domain available to: Notes clients and Internet Authentication/Authorization" on a Directory Assistance document to allow a server to do the public key comparison. This Directory Assistance document can be for:


Related topics