Scenarios for using extended directory catalogs for client authentication

The following table describes various ways to configure extended directory catalogs on servers to support client authentication, depending on the extent to which you want servers to trust the aggregated Domino® Directories for authentication.

The scenarios assume the following:

  • S1, S2, S3, and S4 are the names of the servers in a domain
  • A, B, C, and D are the names of the Domino® Directories for each of the organization's four domains.
  • Each name in A, B, C, and D is part of one of the following namespaces: west/renovations, east/renovations, north/renovations, south/renovations. Namespaces overlap across A, B, C, and D.
  • DA = Directory Assistance
  • EDC = Extended directory catalog
Table 1. Directory catalog authentication scenarios

Authentication goal

How to accomplish with extended directory catalog(s)

S1, S2, S3, S4 trust all names in A, B, C, D for authentication.

Aggregate A, B, C, and D into one EDC. Create one DA database used by all servers. Create one DA document for the EDC with the */*/*/*/*/* naming rule enabled and trusted for credentials.

S1, S2, S3, S4 trust no names in A, B, C, D for authentication.

As for the preceding authentication goal, aggregate the four directories, A, B, C, and D into one EDC and create one DA database for use by all servers. However, do not enable a rule that is trusted for credentials in the DA document for the EDC.

S1, S2, S3, S4 trust all names in A and B for authentication, but no names in C and D.

Aggregate A and B into EDC1, and aggregate C and D into EDC2. Create one DA database used by all servers. Create a DA document for EDC1 with the */*/*/*/*/* naming rule enabled and trusted for credentials. Create a DA document for EDC2 with the */*/*/*/*/* naming rule enabled but not trusted for credentials.

S1, S2, S3, S4 trust only names ending in west/renovations or east/renovations, regardless of which Domino® Directory contains the name.

Aggregate A, B, C, and D into one EDC. Create one DA database used by all servers and create one DA document for the EDC. In the DA document, create the rule */*/*/west/renovations/* and the rule */*/*/east/renovations/* and enable trusted for credentials for both rules. Do not trust any other naming rule for credentials.

S1 & S2 trust and use only names in A and B.

S3 & S4 trust and use only names in C and D.

Aggregate A and B into EDC1. Create a DA database, DA1, and in it create a DA document for EDC1 with the */*/*/*/*/* naming rule enabled and trusted for credentials. Set up S1 and S2 to use DA1.

Aggregate C and D into EDC2. Create another DA database, DA2, and in it create a DA document for EDC2 with the */*/*/*/*/* naming rule enabled and trusted for credentials. Set up S3 and S4 to use DA2.