Using xACLs to secure Internet passwords

One way to secure Internet passwords is to use Extended ACLs, or xACLs, to control access based on levels in the naming hierarchy, and at the form and field level. For passwords stored in the Domino® Directory, administrators can set up xACLs to limit access to Internet passwords to the users themselves, for accessing their own passwords, and to administrators, for allowing administrative changes to passwords.

Procedure

  1. First, enable extended access for the Domino® Directory:
    1. Open the database, and choose File > Application > Access Control.
    2. Make sure you have Manager access in the database ACL.
    3. Click Advanced, and then select Enable Extended Access.
    4. Click Yes to continue when prompted: Enabling extended access control enforces additional security checking. See Domino Administrator Help for more details. Do you want to continue?
    5. If the advanced database ACL option Enforce a consistent Access Control List across all replicas is not yet enabled, you are prompted Consistent access control must be enabled first. Do you want to enable it now? Click Yes.
    6. Click OK at the prompt If more than one administrator manages extended access control for this database, enable document locking on the database to avoid conflicts.
    7. Click OK in the Access Control List dialog box.
    8. When the message Enabling extended access control restrictions. This may take a while. displays, click OK.
  2. Next, set up the extended access to secure Internet passwords:
    1. Open the database, and choose File > Application > Access Control.
    2. Click Extended Access. The Extended Access dialog box appears.
    3. In the Target pane, select the root [ /] and click Add.
    4. In the Access List pane, select Default.
    5. Click Form and Field Access. The Form and Field dialog box appears.
    6. In the Forms list box, select Person. Leave the Access settings for Forms blank.
    7. In the Fields list box:
    8. Click Ok.
    9. Repeat this process for the HttpPassword and dspHttpPassword (if it appears) settings in the Person form:
      Table 1. Access List entries in the Person form
      Access List entry Read Access setting Write Access setting
      Self Allow Allow
      [Local administrators group] Allow Allow
      [Local servers group] Allow Allow
    Note: If Anonymous access was previously defined in the access list, it should be set up to deny read and write access to HTTPPassword and dspHTTPPassword (if it appears) fields in the Person form.
    Note: Once xACLs are enabled for a Domino® Directory, LDAP anonymous access is not controlled by the list of fields in the All Server Configuration document. Since the default xACL setting for Anonymous is "No Access," once xACLs are enabled all anonymous LDAP searches will fail.