DIRECTORY SERVICES


Directory assistance and group lookups for database authorization
When a database access control list (ACL) includes a group located in a server's primary IBM® Lotus® Domino® Directory, the server automatically can look up the members of that group when authorizing a user's database access. You can store groups used for database authorization in one directory in addition to the primary Domino Directory. This one additional directory can be a secondary Domino Directory, an Extended Directory Catalog, or a remote LDAP directory. Note that if the primary Domino Directory and the one additional directory both contain a group used for database authorization with the same name, a server uses the group in the primary Domino Directory.

To use one additional directory for group authorization, do the following in the Directory Assistance document for the directory:


The following figure illustrates looking up groups used for database authorization in a remote secondary Domino Directory.

Directory assistance and group authorization

Tip Enable "Group Authorization" for an Extended Directory Catalog effectively enables you to store groups used for database authorization in multiple secondary Domino Directories, as long as you aggregate the directories into the directory catalog.

A server verifies a client's access to a database after the client authentication process is complete. You can use different directories for client authentication and group authorization. For example, you can use a remote LDAP directory for client authentication, and an Extended Directory Catalog to look up groups during database authorization.

Note When you enable Group Authorization for a remote LDAP directory, you can select a custom search filter for servers to use for searching the groups.

Nesting groups used for database authorization

When authorizing database access, a server can search a group that is nested in a group listed in a database ACL, and search a group nested in the nested group, and so on, as long as all of the groups are located in the same directory.

If you enable "Group Authorization" for a secondary Domino Directory or an Extended Directory Catalog, a server always searches nested groups in the directory. If you enable "Group Authorization" for a remote LDAP directory, use the "Nested group expansion" option to control whether a server searches nested groups. Choose Yes (the default) to search nested groups, or No to prevent nested group searches. If there are many nested groups, selecting No can improve search performance.

Note that Domino does not apply directory assistance name rules for searches of nested groups. Sometimes the DN of a group will match the name rules established for a secondary directory, but the dn of a member of that group - either a user or a nested group - does not. By not applying directory assistance name rules, this circumvents the problem and enables the search to return a complete nameslist for any search request.

The restrictions on the location for groups used for database authorization do not apply to groups used for other purposes. For example, the Router can search groups in any directory configured for directory assistance, and can search nested groups even when the nested groups are located in different directories than their parents.

Related topics