Directory assistance and client authentication

To authenticate a user who is accessing a database on a Domino® server via any of the supported Internet protocols -- Web (HTTP), IMAP, POP3, or LDAP -- a server can look up the users' credentials in a directory that is configured in its directory assistance database. Servers can use X.509 certificate security or name-and-password security for the authentication.

About this task

To allow a server to use a directory for Internet client authentication that is configured in a directory assistance database, do the following in the Directory Assistance document for the directory:

  • On the Basics tab, for Make this domain available to, select Notes clients and Internet Authentication/Authorization.
  • On the Naming Contexts (Rules) tab, enable at least one rule that corresponds to the distinguished names of the users in the directory to be authenticated, and for Trusted for Credentials, select Yes.

For example, if your organization registers Web users in a foreign LDAP directory, when a Web user attempts to access a database on a Domino® Web server, the server can connect to the remote foreign LDAP directory server to look up the user name and password to do the authentication.

Note: A server's primary Domino® Directory is always enabled for client authentication. This is true even if you create a Directory Assistance document for the primary Domino® Directory and do not select Make this domain available to: Notes clients and Internet Authentication/Authorization.
Note: You use an Internet Site document or the Ports - Internet Ports tab of the Server document to control the types of client authentication an Internet protocol server allows.

Names accepted for name-and-password authentication

About this task

If a server uses name-and-password security to authenticate Internet clients, you select the types of names that the server can accept from clients. On the Security > Internet Access tab of the Server document in the primary Domino® Directory, select More name variations with lower security or Fewer name variations with higher security (the default). The selection applies to name and password authentication using any directory, including the primary Domino® Directory.

Though a server can accept a name other than a distinguished name from a client to search for a user's entry in a directory, it is always the user's distinguished name in the directory entry that the server compares to trusted rules in the Directory Assistance document to determine whether to authenticate the client. For example, suppose a user is registered in a directory with the distinguished name cn=alice browning,o=Renovations, but the user configures the name alice browning on the client. During authentication, the server searches for an entry that contains the name alice browning. When it finds the entry, it can only authenticate the client if "cn=alice browning,o=renovations" matches a trusted naming rule for the directory.

A user's distinguished name is also used as the basis for access control in Domino®, so you should use users' distinguished names in database ACLs, in groups used in database ACLs, in access lists in Server documents, and in Web server File Protection documents.

Encountering duplicate names during client authentication

About this task

If a server finds more than one directory entry containing the name presented by the client that corresponds to a valid distinguished name for authentication, within one directory or across directories, the server authenticates the client using the entry with the valid password or X.509 certificate. If more than one such entry has a valid password or X.509 certificate and the same distinguished name, the server authenticates the user using the first password or X.509 certificate it finds.

Consistent client names and passwords across protocols

About this task

If Domino® servers authenticate a client over more than one Internet protocol, for ease of directory administration, create one directory entry for the client with one name and password that applies to all the protocols. Then set up the client to use the same name and password for all protocols.

For example, if a client connects to Domino® over HTTP for Web browsing and over LDAP for directory services, create one directory entry for the client with a name and password, and set up the client to use the name and password for both types of connections.

Features available for client authentication using a remote LDAP directory

About this task

The following features are available specifically for client authentication using a remote LDAP directory:

  • Configurable search filters to control the search filter used to look up names in the remote LDAP directory
  • LDAP-to-Domino name mapping to enable users to authenticate using Notes® distinguished names rather than LDAP distinguished names.

Notes® client authentication

About this task

By default, when a server authenticates a Notes® client it does not use information in Domino® Directory Person documents. However, if you enable the option Compare Notes public keys against those stored in Directory on the Basics tab of the server's Server document, the server authenticates a Notes® user only if the public key presented by the Notes® client matches the public key in the user's Person document.

If a Notes® user who connects to a server to authenticate is registered in a secondary Domino® Directory rather than the server's primary Domino® Directory, and the Compare Notes public keys against those stored in Directory option is enabled for the server to which the user connects, you must select the option Make this domain available to: Notes clients and Internet Authentication/Authorization on a Directory Assistance document to allow a server to do the public key comparison. This Directory Assistance document can be for:

  • The secondary Domino® Directory in which the Notes® user is registered
  • An extended directory catalog that aggregates the secondary Domino® Directory in which the Notes® user is registered.