Controlling the level of authentication for Internet clients

You can select the level of restriction IBM® Domino® uses when authenticating users in Domino Directories and LDAP directories, and the user has supplied a user name and password. This applies to all Internet protocols (HTTP, LDAP, IMAP, POP3).

About this task

Using this setting makes servers less vulnerable to security attacks by refining how Domino searches for names and authenticates Internet clients. Domino also uses this setting when a Java™ applet hosted on a Domino server authenticates users with the Domino IIOP protocol.

Procedure

  1. From the Domino Administrator, click Configuration, and open the Server document.
  2. Click Security.
  3. In the Internet Access section, choose one of the following in the Internet Authentication field:
    • Fewer name variations with higher security (default) - recommended for tighter security. This authentication method is less vulnerable to attacks because a single authentication attempt does not produce as many matches, lessening the likelihood that a guessed password matches.
    • More name variations with lower security - Domino tries to authenticate users based on the name and password entered. This authentication method can be vulnerable to hackers who guess names and passwords in an attempt to use a legitimate user account to access a server.
  4. Save and close the document.

Results

If you selected Fewer name variations with higher security users enter the following in the name-and-password dialog box in a Web browser or other Internet client:
Table 1. Authentication required using Fewer name variations with higher security

Domino Directory authentication

LDAP Directory authentication

Full hierarchical name

DN

Common name or Common name with CN= prefix

CN or CN with CN=prefix

Not applicable

UID or UID with UID= prefix

Alias name (a name listed in the User name field of the Person document, excluding the first name listed in the field)

Not applicable

Internet address (user's e-mail address as listed in the Internet address field in the user's Person document)

Mail

If you selected More name variations with lower security users to enter any of the following in the name and password dialog box in a Web browser:
Table 2. Authentication required using More name variations with lower security

Domino Directory authentication

LDAP Directory authentication

Last name

Surname

First name

Givenname

Common name or Common name with cn=prefix

Common name (CN) or CN with CN=prefix

Full hierarchical name (canonical)

DN

Full hierarchical name (abbreviated)

DN

Short name

UID or UID with UID=prefix

Alias name (a name listed in the User name field of the Person document, excluding the first name listed in the field)

Not applicable

Soundex number

Not applicable

Internet address (user's e-mail address as listed in the Internet address field in the user's Person document)

Mail

What to do next

The Domino Web Server Application Programming Interface (DSAPI) is a C API tool that lets you write your own extensions to the Domino Web server. These extensions, or filters, let you customize the authentication of Web users. For more information on DSAPI and filters, see the current Lotus® C API Toolkit for Domino and Notes®, which is available at www.ibm.com.