Home
Welcome to the HCL Domino 11.0.1 documentation
Welcome to the HCL Domino® 11.0.1 documentation. Here administrators can find information about planning, installing, configuring, and administering Domino 11.0.1.
Configuring
Use this information to configure your network, users, servers (including Web servers), directory services, security, messaging, widgets and live text, and server clusters.
Configuring directory services
This section describes how to plan, set up, and use HCL Domino® directory services.
Extended ACL
An extended access control list (ACL) is an optional directory access-control feature available for a directory created from the PUBNAMES.NTF template -- a Domino® Directory or an extended directory catalog. An extended ACL is tied to the database ACL, and you access it through the Access Control List dialog box using a Notes® or Domino Administrator client.
Extended ACL target
You select a target to specify either a category of documents or a specific document to which you are controlling a subject's access. Selecting a category of documents as a target is recommended because you can set access to multiple documents at once and because the access applies to documents added to the category in the future.
Target scope
When you select a category as a target in the Target box, you use the Scope of Target box to specify whether a subject's access settings apply only to documents at that category or also to documents under subcategories as well.
Adding a subject twice to a target category with different target scopes
Although not typically done, you can add one subject two times to one target category with different access settings. Add the subject to the target category and specify access for the scope This container only. Add the subject again to the same target category and specify access for the scope This container and all descendants. Using this approach, you can use one subject entry to set a subject's access to multiple target subcategories, rather than setting the subject's access separately at each subcategory.

Welcome to the HCL Domino 11.0.1 documentation
Welcome to the HCL Domino® 11.0.1 documentation. Here administrators can find information about planning, installing, configuring, and administering Domino 11.0.1.
- Translated documentation
  The HCL Domino 11.0.1 documentation is currently available in the following languages.
- What's new in Domino® 11?
  Learn about all of the new features for administrators in HCL Domino® 11.
- Overview
  Welcome to HCL Domino® Administrator Help.
- Domino trial
  A trial version of HCL Domino® 11.0.1 is available free of charge.
- Installing
  Use this documentation to install the HCL Domino® server and subsequently deploy the HCL Notes®client.
- Planning
  Use this topic as an overview of planning task.
- Configuring
  Use this information to configure your network, users, servers (including Web servers), directory services, security, messaging, widgets and live text, and server clusters.
  - Configuring a network
    This section presents the planning concepts and setup procedures necessary for a successful HCL Domino® deployment over a network. It provides information on network protocols from a Domino perspective but does not attempt to provide general network information.
  - Configuring users and servers
    Topics in this section describe how to set up users and servers.
  - Editing the NOTES.INI file
    You should rarely, if ever, need to modify a server's or client's NOTES.INI file. The NOTES.INI file contains many settings that Domino® and Notes® rely on to work properly. An accidental or incorrect change may cause Domino or Notes to run unpredictably. Therefore, you should edit the NOTES.INI file only if special circumstances occur or if Support recommends that you do so.
  - Configuring directory services
    This section describes how to plan, set up, and use HCL Domino® directory services.
    - The Domino® Directory
      The Domino® Directory, which some previous releases referred to as the Public Address Book or Name and Address Book, is a database that Domino creates automatically on every server. The Domino Directory is a directory of information about users, servers, and groups, as well as custom entries you may add. Registering users and servers in a domain automatically creates corresponding Person documents and Server documents in the Domino Directory for the domain. These documents contain detailed information about each user and server.
    - The LDAP service
      Lightweight Directory Access Protocol (LDAP) is a standard Internet protocol for searching and managing entries in a directory, where an entry has one or more attributes associated with a distinguished name. A distinguished name -- for example, cn=Phyllis Spera,ou=Sales,ou=East,o=Renovations -- is a name that identifies an entry within a directory tree.
    - LDAP schema
      A directory entry contains information about a particular entity, or object -- for example, a person or a group -- and is associated with a distinguished name. An LDAP schema is a set of rules that define what can be stored as entries in an LDAP directory. Each LDAP directory has a default schema, which organizations can customize, or "extend," by adding elements to it. The elements of a schema are attributes, syntaxes, and object classes. LDAP directory servers provide the ability to enforce the schema to ensure that directory changes made using LDAP operations conform to it.
    - ldapsearch utility
      Domino® and Notes® provide a command-line search utility, LDAPSEARCH.EXE, that you use to search entries in any LDAP directory. The ldapsearch utility connects to a directory server and returns results that match search criteria you specify. It is available on Domino server and Notes client platforms.
    - Directory assistance
      Directory assistance allows a server to look up information in a directory other than a local primary Domino® Directory (NAMES.NSF).
    - Directory Sync
      Directory Sync allows you to sync people and group data from an external LDAP directory into the Domino® directory. Currently data from Active Directory can be synced.
    - Directory catalogs
      A directory catalog is an optional directory database that typically contains information aggregated from multiple Domino® directories. Clients and servers can use a directory catalog to look up mail addresses and other information about the people, groups, mail-in databases, and resources throughout an organization, regardless of the number of Domino domains and Domino Directories the organization uses.
    - Extended ACL
      An extended access control list (ACL) is an optional directory access-control feature available for a directory created from the PUBNAMES.NTF template -- a Domino® Directory or an extended directory catalog. An extended ACL is tied to the database ACL, and you access it through the Access Control List dialog box using a Notes® or Domino Administrator client.
      - How other database security features restrict extended ACL access settings
        The access set for a user in an extended ACL can never exceed the access the database ACL, including the database ACL privileges and roles, allows the user. For example, if the database ACL allows a user only Reader access, you cannot use the extended ACL to allow Write access. Or if a user is omitted from the database ACL User Creator role, you can't use the extended ACL to allow the user Create access to Person documents.
      - Elements of an extended ACL
        To set up an extended ACL, you use the Extended Access at target dialog box, which you open from the database Access Control List dialog box.
      - Extended ACL access settings
        There are several access settings you use to control a subject's access to an extended ACL target. For each access setting you choose Allow or Deny. You can leave an access setting unchecked, but if you do, other subjects in the extended ACL or database ACL determine whether the subject is allowed or denied the access. It's better to select Allow or Deny to help ensure you get the access control results you expect.
      - Extended ACL subject
        An extended ACL subject is a name for which you are setting access to a selected extended ACL target. To add a subject to an extended ACL, you select the target and then click Add in the "Extended Access at target" dialog box.
      - Extended ACL target
        You select a target to specify either a category of documents or a specific document to which you are controlling a subject's access. Selecting a category of documents as a target is recommended because you can set access to multiple documents at once and because the access applies to documents added to the category in the future.
        Target scope
        When you select a category as a target in the Target box, you use the Scope of Target box to specify whether a subject's access settings apply only to documents at that category or also to documents under subcategories as well.
        Adding a subject twice to a target category with different target scopes
        Although not typically done, you can add one subject two times to one target category with different access settings. Add the subject to the target category and specify access for the scope This container only. Add the subject again to the same target category and specify access for the scope This container and all descendants. Using this approach, you can use one subject entry to set a subject's access to multiple target subcategories, rather than setting the subject's access separately at each subcategory.
      - Extended ACL examples
        Review the topics in the related information for examples of how to use extended ACLs.
      - Extended ACL guidelines
        Plan an extended ACL on paper before you implement it. After you have planned the extended ACL on paper, test it in a nonproduction environment before deploying it.
      - Setting up and managing an extended ACL
        Use these tasks to set up and manage an extended ACL.
    - Setting up Domino® Active Directory synchronization (Deprecated)
      When the Domino® server is installed on a Microsoft™ Windows™ 2003 server, as an administrator, you typically need to maintain two separate directories for the same set of people and groups. Maintaining user and group information involves adding entries to both directories, deleting entries, ensuring that passwords are the same when users use Notes® Single Logon, coordinating group membership in both directories, and ensuring that user or group settings, such as email addresses and telephone numbers, are identical.
  - Configuring messaging
    This section provides an overview of messaging and describes how to set up mail routing, how to set up and customize mail servers, and how to track mail.
  - Configuring iNotes®
    HCL iNotes® provides HCL Notes® users with browser-based access to Notes mail and to Notes calendar and scheduling features. Administrators specify mail policy and security policy settings as well as notes.ini file settings to complete the full implementation of HCL iNotes.
  - Configuring Web servers
    This section describes how to set up the HCL Domino® Web server, and the Domino Web Navigator.
  - Setting up a cluster
    Setting up a cluster includes the tasks of creating and verifying that it is working correctly, and then setting up user access, mail, replications, size quotas, directory assistance, roaming, web navigation, and use of a private LAN in the cluster.
- Securing
  This section describes security features, including execution control lists, IDs, and SSL.
- Administering
  This documentation provides information about the administration tools for managing and monitoring servers and databases.
- Tuning
  Use this information to improve HCL Domino® server, Domino Web server, and messaging performance through the use of resource balancing and activity trends, Server.Load commands, advanced database properties, cluster statistics, and the Server Health Monitor.
- Troubleshooting
  This section describes how to find and solve problems with HCL Domino® server and Administrator client.
- Notices

Adding a subject twice to a target category with different target scopes

Although not typically done, you can add one subject two times to one target category with different access settings. Add the subject to the target category and specify access for the scope This container only. Add the subject again to the same target category and specify access for the scope This container and all descendants. Using this approach, you can use one subject entry to set a subject's access to multiple target subcategories, rather than setting the subject's access separately at each subcategory.

About this task

For example, suppose you want to allow members of the group Admins/Renovations full access to documents categorized directly under O=Renovations. You also want to allow members of the group to browse and read documents categorized under OU=East and OU=West, but want to prevent them from creating, deleting, writing, and setting extended access settings for these documents. You want to deny the group access to all other documents. To accomplish this you could do the following:

Add Admins/Renovations to the database ACL with Editor access and all privileges and administration roles.
Add Admins/Renovations as a subject at / (root), deny all access and select the scope This container and all descendants.
Add Admins/Renovations to O=Renovations, allow all access and select the scope This container only.
Add Admins/Renovations to O=Renovations again, allow only Browse and Read access and deny all other access and select the scope This container and all descendants.

When you create a subject entry for the Admins/Renovations group at the organization level (O=Renovations) and specify the scope This container only, you determine the level of access the Admins group has to documents contained directly within the Renovations organization only; your action does not define access to documents in subordinate organizational containers. On the other hand, a secondary subject for the same Admins/Renovations group at the same O=Renovations organization level but with the scope This container and all descendants, determines the level of access the Admins group has to documents not only in the Renovations organization, but in the subordinate East and West organizational units (OU=East or OU=West) as well.

Note: The inclusion of other subjects in the extended ACL can affect access levels.