Authenticating Web SSL clients in secondary Domino and LDAP directories

When a Web client authenticates with a server, by default, the server checks the primary IBM® Domino® Directory to see if the client certificate exists in the Person document. If your organization uses a secondary Domino Directory and/or an LDAP directory to verify client certificates, you can set up Domino to check those additional directories. To do so, you set up the secondary Domino and LDAP directories as trusted domains in the Directory Assistance database.

When you mark the domain as trusted, Domino searches the primary Domino Directory for the user and then searches the trusted secondary Domino and LDAP directories. When you set up directory assistance, you specify the order in which Domino searches the secondary directories.

In addition, Domino checks the primary Domino Directory and secondary directories you trust when you add SSL client certificates to the Domino Directory using the Domino Certificate Authority application. You cannot, however, add client certificates to an LDAP directory even if the LDAP directory is set up on a Domino server.

It is recommended that you use SSL to secure information sent between the server and the LDAP directory server.

The hierarchical name returned by the Domino Directory or LDAP directory is checked against the trusted rule in the Directory Assistance database to verify that the organization and organizational units match the specified rule. For example, if the user name returned is Dave Lawson/Renovations, the Directory Assistance document must include the rule */Renovations.

Searching multiple directories is also available for authenticating users who use name-and-password authentication.