Directory assistance and naming rules

When you configure directory assistance for a directory, you define at least one naming rule that corresponds to the names of users in the directory. Naming rules are based on the X.500 distinguished name model. This model uses a directory tree name hierarchy of country (c), organization (o), and organizational unit (ou) to divide names into parts that together represent unique locations in the directory tree. This is also the naming model Domino® and Notes® have traditionally used.

Each directory assistance naming rule includes six parts, with each part containing one of the following:

  • The name of a specific directory tree branch, for example, the organization Renovations or the organizational unit Sales.
  • An asterisk (*) to represent all branches at a specific level in the directory tree name hierarchy
  • A null character (nothing or a single space) to exclude all branches at a specific level in the directory tree name hierarchy

It's common to assign an all-asterisk rule to a directory (*/ */ */ */ */ */ *) to represent all names in a directory. However if directories configured in directory assistance use discrete name hierarchies, then it is useful to define rules for the directories that correspond to the hierarchies, so servers can target a specific directory when searching for specific names.

For example, assume Directory A and Directory B are both configured in a directory assistance database. Names in Directory A fall under o=renovations, c=us so you specify the rule, */ */ */ */ renovations/us for it, and the names in Directory B fall under o=renovations,c=fr so you specify the rule */ */ */ */ renovations/fr for it. To find the name cn=jack brown,o=renovations,c=fr, a server searches only Directory B, and not Directory A, and to find the name cn=joan brown,o=renovations,c=us, a server searches only Directory A and not Directory B.

This type of targeted directory search can occur when:

  • A server looks for a hierarchical name in a Notes® message address field to resolve the address
  • A server running the LDAP service processes an LDAP client search operation that specifies a search base.
  • A server running the LDAP service processes an LDAP client add, delete, modify, or compare operation.
  • A server looks for a hierarchical logon name an Internet client passes when logging on to the server to initiate authentication.

Note that Domino® does not apply directory assistance name rules to searches of nested groups. Sometimes, although the DN of a group will match the name rules established for a secondary directory which has been enabled for group expansion, the dn of a member of that group - either a user or a nested group - does not. In such cases not using directory assistance name rules circumvents the problem and enables the search to return a complete Names list for the subject of the search.

To find a flat name, a name without distinguishing parts, or to process an LDAP search request that doesn't specify a search base, a server ignores naming rules and searches directories according to search orders specified for the directories in the Directory Assistance documents.

Note: Some LDAP directories do not use the country (c), organization (o), and organizational unit (ou) naming model. If you set up directory assistance for an LDAP directory such as this, use an all-asterisk naming rule for the directory.

Trusted naming rules

When an Internet client passes a logon name to a server to initiate authentication, the server looks for the name in a directory configured in the directory assistance database only if the directory has at least one configured naming rule that is Trusted for Credentials -- known as a trusted rule. If the client logon name is hierarchical, the server looks for the name only in directories with a trusted rule that matches the client logon name, in addition to the primary Domino® Directory. If the client logon name is flat, for example John Smith, then the server looks for the name in all directories with a trusted rule.

When a server finds the client logon name in a user entry in a directory, the server compares the distinguished name assigned to the user entry to the trusted rule(s) defined for the directory. The server only authenticates the client if the distinguished name matches a trusted rule. If you use a remote LDAP directory for client authentication and add Notes® distinguished names to the directory, the Notes® distinguished names, not the original LDAP distinguished names, must match a trusted rule for the directory.

Examples of naming rules

The following list of example names are either included or excluded depending on the naming rules. The table shows how each rule includes or excludes these sample names.

  • Marilyn Jenkins/Omega
  • Alan Jones/Sales/East/Renovations/US
  • Randi Bowker/Marketing/East/Renovations/US
  • Cheryl Lordan/IS/West/Renovations/US
  • Derek Malone/Accounting/West/Renovations/US
  • Deborah Jones/West/Renovations/US
  • Karen Lessing/West/Renovations/DE
    Table 1. Examples of how naming rules include or exclude sample names

    Rule

    Includes

    Excludes

    */*/*/*/*/*

    All names in the directory

    No names

    / / */ */Renovations/*

    Alan Jones/Sales/East/Renovations/US

    Randi Bowker/Marketing/East/Renovations/US

    Cheryl Lordan/IS/West/Renovations/US

    Derek Malone/Accounting/West/Renovations/US

    Deborah Jones/West/Renovations/US

    Karen Lessing/West/Renovations/DE

    Marilyn Jenkins/Omega

    / / */West/Renovations/*

    Cheryl Lordan/IS/West/Renovations/US

    Derek Malone/Accounting/West/Renovations/US

    Deborah Jones/West/Renovations/US

    Karen Lessing/West/Renovations/DE

    Marilyn Jenkins/Omega

    Alan Jones/Sales/East/Renovations/US

    Randi Bowker/Marketing/East/Renovations/US

    / / /West/Renovations/*

    Deborah Jones/West/Renovations/US

    Karen Lessing/West/Renovations/DE

    Marilyn Jenkins/Omega

    Alan Jones/Sales/East/Renovations/US

    Randi Bowker/Marketing/East/Renovations/US

    Cheryl Lordan/IS/West/Renovations/US

    Derek Malone/Accounting/West/Renovations/US

    / / */West/Renovations/DE

    Karen Lessing/West/Renovations/DE

    Marilyn Jenkins/Omega

    Alan Jones/Sales/East/Renovations/US

    Randi Bowker/Marketing/East/Renovations/US

    Cheryl Lordan/IS/West/Renovations/US

    Derek Malone/Accounting/West/Renovations/US

    Deborah Jones/West/Renovations/US

    / /IS/West/Renovations/*

    Cheryl Lordan/IS/West/Renovations/US

    Marilyn Jenkins/Omega

    Alan Jones/Sales/East/Renovations/US

    Randi Bowker/Marketing/East/Renovations/US

    Derek Malone/Accounting/West/Renovations/US

    Deborah Jones/West/Renovations/US

    Karen Lessing/West/Renovations/DE