Directory assistance and group lookups for database authorization

When a database access control list (ACL) includes a group located in a server's primary Domino® Directory, the server automatically can look up the members of that group when authorizing a user's database access.

About this task

You can store groups used for database authorization in one directory in addition to the primary Domino® Directory. This one additional directory can be a secondary Domino® Directory, an extended directory catalog, or a remote LDAP directory. Note that if the primary Domino® Directory and the one additional directory both contain a group used for database authorization with the same name, a server uses the group in the primary Domino® Directory.

Procedure

To use one additional directory for group authorization, do the following in the Directory Assistance document for the directory:
  • On the Basics tab, for Make this domain available to, select Notes clients and Internet Authentication/Authorization.
  • On the Basics tab, next to Group Authorization, choose Yes.
Tip: Enable Group Authorization for an extended directory catalog effectively enables you to store groups used for database authorization in multiple secondary Domino® Directories, as long as you aggregate the directories into the directory catalog.

A server verifies a client's access to a database after the client authentication process is complete. You can use different directories for client authentication and group authorization. For example, you can use a remote LDAP directory for client authentication, and an extended directory catalog to look up groups during database authorization.

Note: When you enable Group Authorization for a remote LDAP directory, you can select a custom search filter for servers to use for searching the groups.

Nesting groups used for database authorization

About this task

When authorizing database access, a server can search a group that is nested in a group listed in a database ACL, and search a group nested in the nested group, and so on, as long as all of the groups are located in the same directory.

If you enable Group Authorization for a secondary Domino® Directory or an extended directory catalog, a server always searches nested groups in the directory. If you enable Group Authorization for a remote LDAP directory, use the Nested group expansion option to control whether a server searches nested groups. Select Yes (the default) to search nested groups, or No to prevent nested group searches. If there are many nested groups, selecting No can improve search performance.

Note that Domino® does not apply directory assistance name rules for searches of nested groups. Sometimes the DN of a group will match the name rules established for a secondary directory, but the dn of a member of that group - either a user or a nested group - does not. By not applying directory assistance name rules, this circumvents the problem and enables the search to return a complete nameslist for any search request.

The restrictions on the location for groups used for database authorization do not apply to groups used for other purposes. For example, the Router can search groups in any directory configured for directory assistance, and can search nested groups even when the nested groups are located in different directories than their parents.