DIRECTORY SERVICES
To use one additional directory for group authorization, do the following in the Directory Assistance document for the directory:
Tip Enable "Group Authorization" for an Extended Directory Catalog effectively enables you to store groups used for database authorization in multiple secondary Domino Directories, as long as you aggregate the directories into the directory catalog.
A server verifies a client's access to a database after the client authentication process is complete. You can use different directories for client authentication and group authorization. For example, you can use a remote LDAP directory for client authentication, and an Extended Directory Catalog to look up groups during database authorization.
Note When you enable Group Authorization for a remote LDAP directory, you can select a custom search filter for servers to use for searching the groups.
Nesting groups used for database authorization
When authorizing database access, a server can search a group that is nested in a group listed in a database ACL, and search a group nested in the nested group, and so on, as long as all of the groups are located in the same directory.
If you enable "Group Authorization" for a secondary Domino Directory or an Extended Directory Catalog, a server always searches nested groups in the directory. If you enable "Group Authorization" for a remote LDAP directory, use the "Nested group expansion" option to control whether a server searches nested groups. Choose Yes (the default) to search nested groups, or No to prevent nested group searches. If there are many nested groups, selecting No can improve search performance.
Note that Domino does not apply directory assistance name rules for searches of nested groups. Sometimes the DN of a group will match the name rules established for a secondary directory, but the dn of a member of that group - either a user or a nested group - does not. By not applying directory assistance name rules, this circumvents the problem and enables the search to return a complete nameslist for any search request.
The restrictions on the location for groups used for database authorization do not apply to groups used for other purposes. For example, the Router can search groups in any directory configured for directory assistance, and can search nested groups even when the nested groups are located in different directories than their parents.
Related topics