Limiting directories to authentication-only lookups

You can limit the use of a directory to authentication.

You may need to deploy a directory for authentication purposes only if:

  • You have both an Domino® and an LDAP directory that contain some identical names.
  • You do not use the LDAP directory names for mailing.
  • Your mail clients are experiencing "Ambiguous name" dialog boxes when sending mail.

It is becoming common practice to use a corporate LDAP server to provide authentication (userid/password) services for single sign-on (SSO) purposes. Often, these LDAP servers are not configured, deployed, or intended to support mail routing (or other Domino-based) directory lookups.

Because Domino® does not support a universal name mapping scheme for Domino-style identities (fullnames or distinguished names of the form cn=xxxx, ou=yyyy, o=zzzz) and the less (or differently) constrained distinguished name formats that are implemented by various LDAP directories, deploying an LDAP directory to be used for authorization can cause name ambiguity problems with some Domino® services if duplicate entries exist in the native Domino® directories and the LDAP directory being deployed. Since duplicate entries are usually the case if the LDAP directory is being deployed to allow SSO, or to provide LDAP-based authentication for Internet services, it is necessary to avoid sending certain lookups to the LDAP directories. Otherwise, sending email can result in an a large number of unnecessary lookups to the LDAP directory, thereby decreasing performance.

You indicate that a directory should be used only for authentication on the Basics tab of the Directory Assistance document as follows:

  • Set Group Authorization to Yes or enable one of the Naming Contexts (Rules) as Trusted for Credentials. This reveals a new setting: Use exclusively for Group Authorization or Credential Authentication.
  • The default setting for Use exclusively for Group Authorization or Credential Authentication is No. Change it to Yes to limit searches on this directory strictly for authentication.

If neither setting is enabled, the directory will be searched.